PCT/FR99/03065 



TRAITECjf ^OPERATION EN MATIEF^ 'E BREVETS 

Expediteur: le BUREAU INTERNATIONAL 


PCT 

NOTIFICATION D'ELECTION 

(regie 61.2 du PCT) 


Destinataire: 

Assistant Commissioner for Patents 
unueu otaies raieni anu i rauemarK 
Office 
Box PCT 

Washington, D.C.20231 
ETATS-UNIS D'AMERIQUE 

en sa qua lite d' office elu 


Date d'expedition (jour/mois/annee) 
19 juin 2000 (19.06.00) 




Demande Internationale no 
PCT/FR99/03065 


Reference du dossier du deposant ou du mandataire 
76.0552 


Date du depot international Gour/mois/annee) 

08 decembre1999 (08.12.99) 


Date de priorrte (jour/mois/annee) 

08 decembre 1998 (08.12.98) 


Deposant 

BURIANNE, Yannick 



1. L'office designe est avise de son election qui a ete faite: 

| X | dans la demande d'examen preliminaire international presentee a I'administration chargee de I'examen preliminaire 
international le: 

15 mai 2000 (15.05.00) 



| | dans une declaration visant une election ulterieure deposee aupres du Bureau international le: 



2. Selection [x] a ete faite 

| | n'a pas ete faite 

avant ('expiration d'un delai de 19 mois a compter de la date de priorite ou, lorsque la regie 32 s'applique, dans le delai vise 
a la regie 32.2b). 



Bureau internationalde I'OMPI 


Fonctionnaire autorise 






34, chemin des Colombettes 


R. Forax 




1211 Geneve 20, Suisse 




no de telecopieur: (41-22) 740.14.35 


no de telephone: (41-22) 338.83.38 




Formulaire PCT/IB/331 (juillet 1992) 




FR9903065 



Page Blank (uspto) 



( 



TRAITE D^PDOPERATION EN MATIER^fc iPfevtff S^L 

PCT 

RAPPORT D'EXAMEN PRELIMINAIRE INTERNATIONAL 

(article 36 et regie 70 du PCT) 



2000 

PCT I 



4 



r 



Reference du dossier du cteposant ou du 
mandataire 

76.0552 



voir la notification de transmission du rapport d'examen 
POUR SUITE A DONNER preliminaire international (formulaire PCT/IPEA/416) 



Demande Internationale n° 
PCT/FR99/03065 



Date du depot international (jour/mois/ann6e) 
08/12/1999 



Date de priori t6 (jour/mois/ann6e) 
08/12/1998 



Classification Internationale des brevets (CIB) ou a la fois classification nationale et CIB 
G07F7/10 



Deposant 

SCHLUMBERGER SYSTEMES et al. 



1 . Le present rapport d'examen preliminaire international, etabli par I'administaration chargee de I'examen preliminaire 
international, est transmis au deposant conformement a I'article 36. 

2. Ce RAPPORT comprend 5 feuilles, y compris la presente feuille de couverture. 

□ II est accompagne d'ANNEXES, c'est-a-dire de feuilles de la description, des revindications ou des dessins qui ont 
ete modifiees et qui servent de base au present rapport ou de feuilles contenant des rectifications faites aupres de 
('administration chargee de I'examen preliminaire international (voir la regie 70.16 et ('instruction 607 des Instructions 
administratives du PCT). 

Ces annexes comprennent feuilles. 



3. Le present rapport contient des indications relatives aux points suivants: 
I \S Base du rapport 



Absence de formulation d'opinion quant a la nouveaute, I'activite inventive et la possibilite 
d'application industrielle 



d'application industrielle; citations et explications a I'appui de cette declaration 



Observations relatives a la demande internationale 



II 


□ 


111 


□ 


IV 


□ 


V 




VI 


□ 


VII 




VIII 


□ 



Date de presentation de la demande d'examen preliminaire 
internationale 

15/05/2000 


Date d'achevement du present rapport 

3 0. 05. 00 


Norn et adresse postale de ('administration chargee de 
I'examen preliminaire international: 

~ Office europeen des brevets 
jflM D-80298 Munich 
Zy' Tel. +49 89 2399 - 0 Tx: 523656 epmu d 
Fax: +49 89 2399 - 4465 


Fonctionnaire autorise 

Beauca, G (1 )) 
N° de telephone +49 89 2399 251 9 ^ 



Formulaire PCT/IPEA/409 (feuille de couverture) (janvier 1994) 




This Page Blank (uspto) 



# # 

RAPPORT D'EXAMEN 

PRELIMINAIRE INTERNATIONAL Demande intemationale n° PCT/FR99/03065 



I. Base du rapport 

1 . Ce rapport a 6te redige sur la base des elements ci-aprds (ies feuilles de remplacement qui ont 6te remises a 
I'office r6cepteur en reponse a une invitation faite conformement a I'article 14 sont considerees, dans ie present 
rapport, comme "initialement deposees" et ne sont pas jointes en annexe au rapport puisqu'elles ne contiennent 
pas de modifications.) : 

Description, pages: 

1-8 version initiale 

Revendications, N°: 

1-11 version initiate 

Dessins, feuilles: 

1/4-4/4 version initiate 



2. Les modifications ont entraine i'annulation : 

□ de ta description, pages : 

□ des revendications, n os : 

□ des dessins, feuilles : 

3. □ Le present rapport a ete formule abstraction faite (de certaines) des modifications, qui ont ete considers 

comme allant au-dela de I'expose de I'invention tel qu'il a ete depose, comme il est indique ci-apres 
(regie 70.2(c)) : 



4. Observations comptementaires, le cas echeant : 
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V. Declaration motivee selon I'article 35(2) quant a la nouveaute, lactivite inventive et la possibilite 
d'application industrielle; citations et explications a I'appui de cette declaration 

1. Declaration 



Nouveaute 


Oui : 


Revendications 


1-11 




Non : 


Revendications 




Activite inventive 


Oui : 


Revendications 


1-11 




Non : 


Revendications 




Possibilite d'application industrielle 


Oui : 


Revendications 


1-11 




Non : 


Revendications 





2. Citations et explications 
voir feuille separee 

VII. Irregularrtes dans la demande intemationale 

Les irregularites suivantes, concemant la forme ou le contenu de la demande intemationale, ont 6X6 constatees : 
voir feuille separee 
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Concernant le point V 

Declaration motivee selon I'article 35(2) quant a la nouveaute, I'activite inventive 
et la possibility duplication industrielle; citations et explications a I'appui de 
cette declaration 

1 . II est fait reference au document suivant: 

D1: EP-A-0 540 095 (PHILIPS COMPOSANTS ;KONINKL PHILIPS 
ELECTRONICS NV (NL)) 5 mai 1993 (1993-05-05) 

2. Le document D1 est considere comme I'etat de la technique le plus proche et 
decrit un dispositif a circuit integre comprenant une memoire et au moins un 
programme applicatif resident dans ladite memoire. 

L'objet de la revendication independante 1 differe de celui divulgue dans la 
document D1 en ce que le programme applicatif comprend au moins une variable 
configurable et une liste d'au moins un element reference. De plus la memoire 
comporte d'une part au moins un moyen d'initialisation de variables, ledit moyen 
etant parametre par plusieurs parametres dont Tun est la liste d'elements 
references, et d'autre part, une commande permettant d'envoyer des donnees 
contenant en particulier des valeurs a affecter aux variables configurables. 

L'objet de la revendication independante 1 est done nouveau au vu de Particle 
33(2) PCT. 

I_ a revendication de procede correspondante satisfait egalement aux conditions 
enonces a Particle 33(2) PCT. 

3. ^inconvenient engendre par Tutilisation d'un tel dispositif, est I'emplacement 
memoire important necessaire pour Tinitialisation des variables. De plus le temps 
necessaire a Texecution du programme applicatif est accru du fait de devoir 
Texecuter meme si les valeurs ^initialisation n'ont pas changees (car la phase 
d'initialisation fait partie integrante du programme applicatif. 

La solution adoptee par la presente invention et contenue dans les revendications 
1 et 1 1 ne decoule pas de fagon evidente de Tenseignement transmis par les 
documents cites dans le rapport de recherche international en combinaison avec 
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les connaissances de rhomme du metier. 

Par consequent I'objet des revendications independantes 1 et 1 1 satisfait aux 
conditions de I'article 33(3) PCT. 

4. La condition duplication industrielle est egalement satisfaite (Article 33(4) PCT). 

5. L'objet des revendications dependantes 2 a 10 semble egalement satisfaire aux 
conditions de Particle 33 PCT. 

Concernant le point VII 

Irregularites dans la demande intemationale 

1 . Contrairement a ce qu'exige la regie 5.1 a) ii) PCT, la description n'indique pas 
Tetat de la technique anterieure pertinent expose dans le document D1 et ne cite 
pas ce document. 

2. Les caracteristiques figurant dans les revendications ne component pas de signes 
de reference mis entre parentheses (regie 6.2 b) PCT). 
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1. This international preliminary examination report has been prepared by this International Preliminary Examining 
Authority and is transmitted to the applicant according to Article 36. 



2. This REPORT consists of a total of 



. sheets, including this cover sheet. 



I I This report is also accompanied by ANNEXES, i.e., sheets of the description, claims and/or drawings which have 
1 — ' been amended and are the basis for this report and/or sheets containing rectifications made before this Authority 
(see Rule 70. 16 and Section 607 of the Administrative Instructions under the PCT). 



These annexes consist of a total of 



sheets. 



3. This report contains indications relating to the following items: 
Basis of the report 
Priority 

Non-establishment of opinion with regard to novelty, inventive step and industrial applicability 
Lack of unity of invention 

Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 

Certain documents cited 

Certain defects in the international application 

Certain observations on the international application 
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□ 


III 
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□ 
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International application No. 


INTERNATIONAL PRELIMINARY EXAMINATION REPORT 


PCT/FR99/03065 




I. Basis of the report 




1 . This report has been drawn on the basis of (Replacement sheets which have been furnished to the receiving Office in response to an invitation 
under Article 14 are referred to in this report as "originally filed" and are not annexed to the report since they do not contain amendments.): 




[ [ the international application as originally filed. 








rVI the description, pages 1 -8 
IX \J ■ ~ 


, as originally filed, 






pages 


, filed with the demand, 






pages 


, filed with the letter of - 






pages 


, filed with the letter of - 






the claims, Nos. I~H 


, as originally filed, 






Nos. 


, as amended under Article 19, 




Nos. 


, filed with the demand, 






Nos. 


, filed with the letter of 






Nos. 


, filed with the letter of 






jyj the drawings, sheets/fig 1/4-4/4 


, as originally filed, 






sheets/fig 


, filed with the demand, 






sheets/fig 


, filed with the letter of 






sheets/fig 


, filed with the letter of 






2. The amendments have resulted in the cancellation of: 








1 1 the description, pages 








1 I the claims, Nos. 








1 I the drawings, sheets/fig 








3 1 1 This report has been established as if (some of) the amendments had not been made, since they have been considered 
— to go beyond the disclosure as filed, as indicated in the Supplemental Box (Rule 70.2(c)). 




4. Additional observations, if necessary: 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement - - - 



1 . Statement 

Novelty (N) 

Inventive step (IS) 
Industrial applicability (IA) 



Claims 
Claims 

Claims 
Claims 

Claims 
Claims 



1-11 



1-11 



1-11 



YES 
NO 
YES 
NO 

YES 
NO 



2. Citations and explanations 

1. Reference is made to the following document: 

Dl: EP-A-0 540 095 (PHILIPS COMPOSANTS; KONINKL 
PHILIPS ELECTRONICS NV (NL) ) , May 5 1993 (1993-05- 
05) . 

2. Document Dl, which is considered the closest prior 
art, describes an integrated circuit device with a 
memory and an application programme resident in said 
memory. 

The subject matter of independent Claim 1 differs 
from that disclosed in document Dl in that said 
application programme includes at least one 
configurable variable and a list with at least one 
reference element. Moreover, said memory comprises 
at least one variable initialising means 
parameterised with a plurality of parameters, one of 
which is the list of reference elements, as well as 
an instruction for sending data containing, in 
particular, values to be assigned to said 
configurable variables. 



The subject matter of independent Claim 1 is 

For^r?CT7l7E/J4C9~(fic7v) \7amfary 1994) " 
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therefore novel under PCT Article 33(2). 

The corresponding method claim also meets the 
requirements of PCT Article 33(2). 

3. The disadvantage resulting from the use of such a 
device is the substantial memory area required to 
initialise the variables. Moreover, the time 
required to run the application programme is 
increased due to the fact that it must be run even 
if the initialisation values have not been changed 
(since the initialisation phase is an integral part 
of the application programme) . 

The solution proposed by the present invention and 
contained in Claims 1 and 11 cannot be derived in an 
obvious manner from the teaching of the documents 
cited in the international search report, in 
combination with the knowledge of a person skilled 
in the art. 

Hence, the subject matter of independent Claims 1 
and 11 meets the requirements of PCT Article 33(3). 

4. The requirements of industrial applicability are 
also met (PCT Article 33(4)). 

5. The subject matter of dependent Claims 2 to 10 also 
appears to meet the requirements of PCT Article 33. 
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VII. Certain defects in the international application 



The following defects in the form or contents of the international application have been noted: 

1. Contrary to the requirements of PCT Rule 

5.1(a) (ii) , the description does not outline the relevant 
prior art set forth in document Dl and does not cite this 
document . 

2. The features appearing in the claims are not 
accompanied by reference signs between brackets (PCT Rule 
6.2 (b) ) . 
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(57) Abstract 

The invention concerns a device with an integrated circuit comprising a storage unit and a resident applicative programme in said 
storage unit. The invention is characterised in that said applicative programme comprises at least a configurable variable and a list of at 
least one reference element, and said storage unit comprises at least means for initialising said variables, said means being parameterised by 
several parameters whereof one of the parameters is said list of reference elements and a command for sending data containing in particular 
values to be assigned to the configurable variables. The invention is particularly applicable to chip cards. 




(57) Abregl 

L'invention concerne un dispositif a circuit intdgre* comprenant une memoire et au moins un programme applicatif resident dans 
ladite memoire. L'invention se caracterise en ce que ledit programme applicatif comprend au moins une variable configurable et une liste 
d'au moins un Element reference, et en ce que ladite memoire comporte, d'une part, au moins un moyen d' initialisation desdites variables, 
ledit moyen 6tant param6tr6 par plusieurs parametres dont Tun des parametres est ladite liste d'61ements references, et, d'autre part, une 
commande permettant d'envoyer des donnees contenant en particulier des valeurs a affecter aux variables configurables. L'invention 
s'applique, en particulier, aux cartes a puce. 
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1 

DISPOSITIF ET PROCEDB D'INTIALISATION D'UN PROGRAMME 
APPLICATIF D'UNE CARTE A CIRCUIT INTEGRE 

La presente invention concerne un dispositif a circuit integre 
comprenant une memoire et au moins un programme applicatif resident 
dans ladite memoire. Elle concerne egalement un procede 
d'initialisation d'un programme applicatif d'un tel dispositif. 
5 Lesdits dispositifs sont en particulier des objets portatifs appeles 

cartes a puce comprenant des programmes applicatifs concernant le 
domaine de la sante, de la telephonie mobile, ou encore, concernant le 
domaine bancaire. 

Lesdites cartes a puce comportent un corps de carte dans lequel 
10 est integre un module electronique contenant de maniere classique un 
element de commande (par exemple une unite centrale de traitement ou 
CPU) et une memoire. Ladite memoire comporte au moins un 
programme applicatif contenant des elements unitaires auxquels on 
affecte des valeurs aim que le programme puisse etre execute, lesdits 
15 elements n'etant pas modifies lors de Fexecution dudit programme 
applicatif. Ces elements sont appeles variables configurable s. 

En vue de configurer lesdites variables, Tetat de la technique 
propose des dispositifs qui prevoient des fichiers contenant des donnees 
qui sont affectees aux variables lors d'une phase dite d'initialisation. 
20 Cette phase d'initialisation est necessaire au bon deroulement du 
programme applicatif. A cet effet, lesdits dispositifs comportent un 
moyen de commande qui permet de modifier les valeurs desdites 
donnees d'initialisation dans lesdits fichiers et ensuite d'affecter ces 
donnees auxdites variables. Lorsque ces variables sont stockees en 
25 memoire de iagon permanente, elles conservent leur valeur 
d'initialisation meme si la carte n'est plus alimentee en tension. 

Bien que ces dispositifs permettent de configurer un programme 
applicatif, les valeurs d'initialisation sont dupliquees dans deux espaces 
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memoire de tailles quasi identiques, Tun contenant les fichiers de 
donnees d'initialisation et l'autre etant Tespace alloue pour les variables 
qui sont initialises avec lesdites donnees, ce qui peut etre genant du 
fait de la taille limitee de la memoire des cartes a puce. De plus, le 

5 temps d 'execution dudit programme applicatif est sensiblement accru 
du fait notamment de la necessite d'effectuer ladite phase 
d'initialisation lors de chaque execution du programme meme si les 
valeurs d'initialisation n'ont pas changees car ladite phase 
d'initialisation fait partie integrante du programme applicatif. Enfin, il 

10 existe des cas ou, soit le programme applicatif ne possede aucun 
privilege pour acceder auxdits fichiers, soit ladite carte ne possede tout 
simplement aucun fichier. 

Aussi un probleme technique a resoudre par 1'objet de la presente 
invention est de proposer un dispositif a circuit integre comprenant une 

15 memoire et au moins un programme applicatif resident dans ladite 
memoire, ainsi qu'un procede d'initialisation d'un programme applicatif 
d'un tel dispositif, qui permettraient, d'une part, de configurer un 
programme applicatif sans avoir de duplication de donnees et ainsi 
eviter des pertes d'espace memoire dues aux fichiers precites, et, d'autre 

20 part, d'eviter d'augmenter le temps d'execution dudit programme 
applicatif . 

Une solution au probleme technique pose se caracterise, selon un 
premier objet de la presente invention, en ce que ledit programme 
applicatif comprend au moins une variable configurable et une liste 

25 d'au moins un element reference, et en ce que ladite memoire comporte, 
d'une part, au moins un moyen d'initialisation desdites variables, ledit 
moyen etant parametre par plusieurs parametres dont Tun des 
parametres est ladite liste d'elements references, et, d'autre part, une 
commande permettant d'envoyer des donnees contenant en particulier 

30 des valeurs a affecter aux variables configurables. 
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Selon un second objet de la presente invention, cette solution se 
caracterise en ce que le procede d'initialisation comporte les etapes 
consistant a : 

-creer, dans ledit programme applicatif, au moins une variable 
5 configurable et une liste d'au moins un element reference, 

-envoy er des donnees contenant en particulier des valeurs a 
affecter aux variables configurables, 

-initialiser lesdites variables grace a un moyen d'initialisation, 
ledit moyen etant parametre par plusieurs parametres dont Tun des 
10 parametres est ladite liste d'elements references. 

Ainsi, comme on le verra en detail plus loin, le dispositif de 
Tinvention permet d'avoir une gestion optimisee de la memoire de la 
carte et une configuration directe des variables d'un programme 
applicatif grace a la commande qui permet de modifier les valeurs 
15 affectees aux variables configurables et grace egalement a la liste 
d'elements references passee en parametre du moyen d'initialisation, 
liste qui permet d'etablir un lien entre les valeurs envoyees par ladite 
commande et les variables du programme applicatif a configurer. 

La description qui va suivre au regard des dessins annexes, 
20 donnee a titre d'exemple non limitatif, fera bien comprendre en quoi 
consiste Tinvention et comment elle peut etre realisee. 

La figure 1 est un schema d'un dispositif a circuit integre, ici une 
carte a puce. 

La figure 2 est un schema d'une memoire de la carte de la figure 

25 1. 

La figure 3 est un schema d'un programme applicatif de la carte 
de la figure 1 . 

La figure 4 est un schema d'une commande de la carte de la 
figure 1. 
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La figure 5 est un schema d'une liste d'elements d'un programme 
applicatif de la memoire de la figure 2. 

La figure 6 est un autre schema de la memoire de la carte de la 
figure 1. 

La figure 7 est un schema montrant des variables contenues dans 
le programme applicatif de la figure 3. 

Sur la figure 1 est represents un dispositif 10a circuit integre, ici 
une carte a puce. 

Cette carte 10 contient un element 11 de commande (par exemple 
une unite centrale de traitement ou CPU), une memoire 12 et un bloc 
13 de contacts destine a une connexion electrique avec par exemple un 
connecteur d'un lecteur de cartes. 

Ladite memoire 12 est representee sur la figure 2. Elle comprend 
un programme applicatif A. Ledit programme A comprend au moins une 
variable configurable V et une liste L d'au moins un element reference 
R. Ladite memoire comporte, d'une part, au moins un moyen MI 
d 'initialisation desdites variables V, ledit moyen etant parametre par 
plusieurs parametres dont Tun des parametres est ladite liste L 
d'elements references, et, d'autre part, une commande CDE permettant 
d'envoyer des donnees contenant en particulier des valeurs a affecter 
aux variables configurables. Le moyen MI est une fonction ou un bout 
de programme. Sur la figure 3, le programme applicatif A comporte trois 
variables configurables VI, V2 et V3 et une liste L contenant trois 
elements references Rl, R2 et R3. 

Afin que le programme A se deroule correctement, il faut 
configurer ses variables, c'est a dire leur affecter des valeurs. 

Dans une premiere etape, la commande CDE est envoyee a la 
carte 10. Elle comporte des donnees telles que par exemple, un nombre 
d'elements references R, des numeros indexant les elements references 
d'une liste, des valeurs associees.... Sur la figure 4, la commande CDE 
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envoie les trois valeurs alphanumeriques suivantes APPLICATION GSM, 
TELEPHONER et APPEL EN COURS. Ces valeurs sont precedees des 
index 1, 2 et 3 qui correspondent a trois elements references. 

Lorsque le programme applicatif A regoit la commande CDE, il est 
5 execute et la phase d 'initialisation faisant appel au moyen Ml 
commence. 

Dans une deuxieme etape, on construit un lien entre les valeurs 
envoyees par la commande CDE et les elements references d'une liste L 
specifique. La liste L d 'elements references parametrant le moyen MI 

10 d 'initialisation permet d'etablir ce lien. Les autres parametres sont entre 
autres les donnees envoyees par ladite commande CDE. On specifle la 
liste L en donnant par exemple son nom, Sur la figure 5, L est appelee 
CUSTOMELEMENT. Elle contient . trois elements references MENU, 
TEXT et MESSAGE auxquels sont associees les valeurs 

15 alphanumeriques respectives APPLICATION GSM, TELEPHONER et 
APPEL EN COURS. Ces valeurs proviennent de la commande CDE. 

Dans une troisieme etape, le moyen MI d'initialisation etablit un 
lien entre lesdites valeurs de ladite liste L et les variables a configurer V 
grace aux elements references R. A cet effet, un element reference R fait 

20 reference a une variable configurable V. Sur la figure 3, Rl, R2 et R3 
font respectivement reference aux variables VI, V2 et V3, ces dernieres 
etant des variables dont on veut initialiser tout ou partie de leur 
contenu. C'est grace a ces differents liens que le transfert des valeurs 
vers lesdites variables s'effectue. 

25 Une fois ce transfert effectue, la configuration du programme 

applicatif A est terminee et la suite dudit programme peut se derouler 
comme souhaite. Le dispositif selon Tinvention ne comporte aucun 
fichier, de ce fait, la configuration des variables a ete directe. 

On notera que Tinvention prevoit egalement que ladite commande 

30 CDE permet de lire le contenu des variables configurables et ce grace a 
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la presence d'un parametre de ladite commande appele MODE qui 
indique si la commande doit envoyer ou lire des donnees. Ceci permet 
de lire les valeurs des variables V a tout moment et par consequent de 
connaitre la configuration du programme applicatif A a tout moment. 

5 II peut etre interessant pour gagner de Tespace memoire et 

homogeneiser les initialisations de permettre a un ou plusieurs 
programmes applicatifs d'utiliser le meme moyen MI d'initialisation. 
Aussi, au moins un moyen MI d'initialisation reside dans ladite 
memoire independamment d'un programme applicatif A. Cela signifie 

10 que ledit moyen MI peut etre utilise par tous les programmes applicatifs 
residents dans la carte 10 et n'est propre a aucun programme A en 
particulier. Comme le montre la figure 6, le moyen Mil est independant 
des programmes applicatifs Al et A2 et peut etre de ce fait utilise par 
Tun ou l'autre de ces programmes. 

15 Cependant, il peut etre egalement utile de pouvoir personnaliser 

le moyen d'initialisation pour un programme applicatif donne en ayant 
un moyen different de Mil, par exemple dans le cas ou Ton veut avoir 
un protocole d'echange de donnees different de celui de Mil c'est a dire 
un format de donnees d'initialisation different. Comme le montre la 

20 figure 6, au moins un programme applicatif A2 comprend un moyen 
MI2 d'initialisation. Pour configurer les variables de A2, on aura le choix 
d'utiliser les moyens Mil ou MI2 si lesdites variables respectent le 
format de donnees respectif desdits moyens. 

On notera que Ton peut egalement n 'avoir aucun moyen MI 

25 independant d'un programme applicatif, chaque moyen MI 
d'initialisation etant, dans ce cas, propre a un programme applicatif, ou 
au contraire n'avoir que des moyens independants. 

La presente invention s'applique particulierement a des 
programmes applicatifs qui sont programmes dans des langages de 

30 haut niveau tels qu'en particulier un langage appele JAVA (marque 
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deposee). Ce langage traite des notions de classe, dTieritage, d'attribut 
et de methode bien connues de lTiomme du metier. 

Dans le cas ou le programme applicatif A est programme en 
JAVA, les variables configurables sont des objets et une liste d'elements 
references fait reference a un ensemble d'objets. Sur la figure 7, la 
memoire 12 comprend un programme applicatif A. Ledit programme 
applicatif A comporte au moins deux variables VI et V3 configurables 
referencees dans une meme liste et qui derivent d'une meme classe 
mere CO. De plus, ledit programme applicatif A comporte au moins 
deux variables VI et V2 configurables referencees dans une meme liste 
et qui sont des instances d'une meme classe CI. Les differentes classes 
sont definies soit dans le programme applicatif A, soit de fa?on 
independante, par exemple dans une librairie. Lesdites variables 
configurables sont persistantes dans ladite memoire 12. 

On peut voir que ladite liste L represente des objets ayant, soit 
des points en commun, les variables ou objets VI et V3 heritent de 
Tattribut Atl et des methodes Ml et M2 de la classe CO mais ont leur 
propres attributs et methodes, soit tous leurs points en commun, VI et 
V2 sont des instances de la classe CI qui possede 1'attribut At2 et la 
methode M3. Pour configurer lesdits objets, il faut qu'une liste L soit du 
meme type qu'une classe mere ou que la classe desdits objets. Ainsi un 
moyen Mil simple permettra de configurer une partie du contenu des 
objets VI, V2 et V3, soit Tattribut Atl. On pourrait egalement avoir un 
autre moyen MI2 plus complexe permettant de configurer Fensemble 
des attributs Atl et At2 des variables VI et V2. 

C'est grace a la definition du type de ladite liste L que la presente 
invention nous permet de modifier les valeurs des attributs d'objets bien 
specifies et d'empecher ainsi la modification par inadvertance du 
contenu d'autres objets. De plus, grace a la presente invention, il n'y a 
pas d'acces direct a Templacement memoire contenant toutes les 



WO 00/34927 




PCT/FR99/03065 



8 

variables du programme applicatif A et, par suite, on ne risque pas de 
modifier de fagon frauduleuse toutes ces variables. 

Un autre avantage de la presente invention est que lesdites 
variables ou objets sont persistants en memoire. Cela signifie qu'une 
5 fois configures et lorsqu'ils ne sont pas modifies pendant Texecution du 
programme applicatif A, lesdits objets conservent leurs valeurs 
d'initialisation meme apres Fexecution du programme A. Si on ne veut 
pas modifier ces valeurs avant une autre execution de A, il est inutile 
pour un utilisateur d'envoyer la commande CDE pour reconfigurer le 

10 programme applicatif A. Par suite, on s'affranchit de la phase 
d'initialisation et aucun moyen MI d'initialisation n'est declenche. Par 
consequent, le temps d'execution est diminue. 

Comme nous venons de le voir, le langage JAVA est interessant a 
plus d'un egard, mais une de ses caracteristiques qui fait egalement sa 

15 force est qu'il possede des moyens securitaires dont un moyen qui 
verifie que chaque instruction d'un programme applicatif A est valide 
ainsi que les parametre s de cette instruction. Par exemple, si une 
instruction necessite un tableau d 'octets situe a une certaine adresse de 
la memoire 12 comme parametre alors qu'une adresse memoire 

20 interdite est designee a la place, ledit moyen securitaire permettra de 
detecter cette erreur et d'empecher ainsi Tacces a un espace memoire 
interdit. Afin de profiter de ces moyens securitaires de verification, 
Finvention prevoit que tout moyen MI d'initialisation est defmi dans le 
meme langage que ledit programme applicatif A, c'est a dire en JAVA. 

25 Ainsi, si un parametre dudit moyen MI est faux, le programme ne sera 
pas execute et un fraudeur ne pourra acceder a des emplacements 
memoire interdits. 
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REVENDICATIONS 



1 - Dispositif a circuit integre comprenant une memoire et au 
moins un programme applicatif resident dans ladite memoire, 
caracterise en ce que ledit programme applicatif comprend au 
moins une variable configurable et une liste d'au moins un 
element reference, et en ce que ladite memoire comporte, d'une 
part, au moins un moyen d 'initialisation desdites variables, ledit 
moyen etant parametre par plusieurs parametres dont Tun des 
parametres est ladite liste d'elements references, et, d'autre part, 
une commande permettant d'envoyer des donnees contenant en 
particulier des valeurs a affecter aux variables configurables. 

2 - Dispositif selon la revendication 1, caracterise en ce que 
lesdites variables configurables sont persistantes dans ladite 
memoire. 

3 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce qu'un element reference fait reference a une 
variable configurable. 

4 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce que ledit programme applicatif comporte au 
moins deux variables configurables referencees dans une meme 
liste et qui derivent d'une meme classe mere. 

5 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce que ledit programme applicatif comporte au 
moins deux variables configurables referencees dans une meme 
liste et qui sont des instances d'une meme classe. 

6 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce qu'au moins un moyen d 'initialisation reside 
dans ladite memoire independamment d'un programme applicatif. 



FELHLLE DE REMPLACEMENT (REGLE 26) 
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7 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce qu'au moins un programme applicatif comprend 
un moyen d'initialisation. 

8 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce que tout moyen d'initialisation est defini dans le 
meme langage que ledit programme applicatif. 

9 - Dispositif selon Tune des revendications precedentes, 
caracterise en ce que ladite commande permet de lire le contenu 
des variables configurables. 

10 - Procede d'initialisation d'un programme applicatif d'un 
dispositif a circuit integre comprenant une memoire et au moins 
un programme applicatif resident dans ladite memoire, 
caracterise en ce que ledit procede comporte les etapes consistant 



-creer, dans ledit programme applicatif, au moins une variable 
configurable et une liste d'au moins un element reference, 
-envoyer des donnees contenant en particulier des valeurs a 
affecter aux variables configurables, 

-initialiser lesdites variables grace a un moyen d'initialisation, 
ledit moyen etant parametre par plusieurs parametres dont l'un 
des parametres est ladite liste d'elements references. 



a : 
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© Microcircuit pour carte a puce a memoire programmable protegee. 
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in 



© Microcircuit pour carte a puce multi - applica - 
tions comportant notamment une memoire ROM 
(12), une memoire programmable (13) et un circuit 
de controle d'adressage (14) de cette memoire 
programmable. 

Selon I'invention, la memoire programmable (13) 
est partagee en au moins une zone de repertoire 
(ZR) et une zone des applications (ZA), la zone de 
repertoire (ZR) comportant par application chargee, 
au moins un code de reference d'une application i 
presente dans la zone ZAj ainsi que les adresses 
ZAj, et ZA jh respectivement de debut et de fin de la 
zone ZAj allouee a cette application. 

Le microcircuit comporte egalement des moyens 
(25 a 50) pour inhiber toute commande (R, W ou E) 
de la memoire programmable (13) lorsqu'elle est 
relative a une adresse exterieure a Tintervalle ZA M - 
ZA ih de Papplication en cours de traitement et sauf 
s'il s'agit d'une operation prioritaire specifiquement 
prevue par un programme fixe dans la memoire 
ROM (12). 

Application : carte a microcircuits. 
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La presente invention concerne un microcircuit 
pour carte a puce comprenant entre - autres : des 
moyens d'acces entree - sortie, au moins une 
memoire qui est programmable et accessible par 
un espace d'adressage a adresses consecutives, 
un circuit de controle d'adressage de cette me- 
moire programmable determinant soit une inhibi - 
tion, soit une validation des commandes d'ecriture 
et/ou de lecture par la comparaison de Tadresse 
demandee avec deux valeurs limites de debut et 
de fin d'une zone particuliere d'adresses, limites 
qui sont memorisees au sein du circuit de controle 
d'adressage lequel circuit comporte egalement une 
voie d'autorisation prioritaire permettant de s'af - 
franchir temporairement de ladite inhibition dans 
des circonstances predetermines et particulieres. 

Un tel microcircuit est notamment connu du 
document FR 2 304 989. 

L'application dans le domaine bancaire des 
cartes portatives au sein desqueltes est incorpore 
un circuit integre electronique (encore appele 
"puce") est bien connue ainsi que la grande se - 
curite de fonctionnement qui en resulte. II est en 
effet pratiquement impossible d'acceder a certai - 
nes donnees inscrites dans des zones protegees 
du microcircuit sans le detruire. Par ailleurs, lors de 
I'utilisation, un protocole d'identification faisant in - 
tervenir un code personnel et secret, inscrit dans 
une zone protegee du microcircuit, permet d'in - 
terdire toute tentative d'usage de la carte si les 
conditions d'identification ne sont pas satisfaites. 

Dans le cas d'une carte bancaire, le fabricant 
de carte cree dans un premier temps des cartes 
dont le microcircuit est vierge de toute information 
personnalisee, puis dans un deuxieme temps, it y 
inscrit, par programmation des donnees secretes, 
personnatisant chaque carte. Les cartes sont en - 
suite protegees par des verrous technologiques 
irreversibles. 

Les codes personnels d'identification sont alors 
envoyes a chaque utilisateur (clients de la ban - 
que), et, par une autre route, les cartes elles- 
memes sont expedites a la banque, ou les clients 
sont pries de venir les retirer. Ce systeme se 
revele d'une grande securite contre les tentatives 
d'usurpation. 

Bien entendu, une carte a puce est susceptible 
de servir a bien d'autres applications, en dehors du 
domaine bancaire, ou Taspect pratique de porta- 
bility de la carte et de sa securite d'utilisation 
offrent des perspectives interessantes. 

On peut penser a developper un microcircuit 
specifique de chaque cas d'application particulier 
envisage mais il est plus economique et plus sim- 
ple de prevoir des microcircuits d'un type suffi - 
samment universel pour que Tune ou ('autre des 
applications envisagee y soit ensuite programmee. 



Dans cette perspective, des problemes appa- 
raissent deja du point de vue de la securite si on 
envisage de confier a une entite autre que le 
fabricant de microcircuit, le soin d'inscrire les 

5 donnees secretes d'identification et les donnees 
fonctionnelles de sa propre application. 

En effet une personne mal intentionnee ayant 
reussi a se procurer des cartes vierges et ayant 
par ailleurs pris connaissance des techniques 

w description d'une certaine application, serait sus- 
ceptible de recreer illicitement des cartes falsifiees 
en utilisant une technique d'inscription de donnees 
qui imite I'originale. 

Or, I'entite emettrice de l'application, qui est 

15 etrangere au fabricant de microcircuit, peut desirer 
charger elle-meme les donnees de son applica- 
tion, entre -autres pour ne pas livrer ses secrets 
au fabricant de microcircuits. 

Ces difficultes relatives a la securite sont en - 

20 core aggravees dans le cas ou on envisage de 
creer des cartes dites "multi - application" d'un 
type universel, vierges a I'origine, et qui sont aptes 
a etre chargees successivement et dans un ordre 
de succession quelconque, de donnees et pro - 

25 grammes d'applications differents les uns des au - 
tres, par des entites emettrices qui sont etrangeres 
les unes aux autres. Le but recherche sera alors 
d'effectuer une allocation dynamique de la me- 
moire programmable dans des conditions de se - 

30 curite satisfaisantes. 

Le fabricant de microcircuits devrait pouvoir 
assurer une possibility de protection de plusieurs 
zones de memoire dont il ne connaTt pas encore 
les limites individuelles, de maniere que chaque 

35 entite emettrice puisse proteger la zone ou elle a 
charge ses donnees fonctionnelles secretes, contre 
toute tentative de lecture ou d'ecriture provenant 
du deroulement d'une autre application, que ces 
tentatives proviennent d'une erreur de program - 

40 mation de I'entite ayant emis cette autre application 
ou qu'elles proviennent de la programmation illicite 
d'un fraudeur.On doit se rendre compte qu'il serait 
illusoire de confier a une pluralite d'entites sus- 
ceptibles de charger diverses applications, des 

45 secrets de programmation relatifs au chargement 
des applications en esperant que ces secrets ne 
parviennent jamais dans les mains de personnes 
mal intentionnees. Une solution ne peut etre envi - 
sagee dans cette direction d'autant plus qu'une 

so entite bien qu'autorisee mais maladroite peut 
emettre une application contenant une erreur de 
programmation aboutissant a la destruction d'une 
donnee contenue dans une application etrangere a 
la sienne. 

55 L'invention vise tout particulierement le cas 

d'un microcircuit pour carte a puce du type multi - 
applications, dans lequel un haut niveau de se - 
curite est matntenu malgre que la carte soit fabri - 
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quee dans un etant vierge et qu'elle soit suscepti - 
ble d'etre chargee, dans un ordre indifferent, par 
des entites emettrices d'applications qui sont in - 
dependantes les unes des autres. En quelque 
sorte, le microcircuit souhaite devrait disposer de 
verrous mobiles mais inviolables que ce soit en 
cours de chargement, de fonctionnement, ou par 
renvoi de signaux quelconques sur les acces 
d'entree - sortie. 

L'invention a pour but de fournir une solution a 
ce probleme technique. 

En effet, selon l'invention, un microcircuit pour 
carte a puce, d'un type conforme au paragraphe 
introductif, est caracterise en ce que, en vue d'un 
chargement et d'une exploitation de programmes 
d'applications independants les uns des autres, le 
microcircuit est muni d'une unite centrale de mi - 
croprocesseur, d'une memoire a lecture seule 
(ROM) contenant notamment des routines fonc - 
tionnelles exclusivement executables par I'unite 
centrale et sous sa dependance, en ce que dans 
I'espace d'adressage de la memoire programmable 
sont delimitees une zone dite de repertoire et une 
zone dite des applications, lesquelles zones sont 
exclusives Tune de I'autre, en ce que la zone de 
repertoire contient une table repertoire ou les 
adresses de debut et de fin ainsi qu'un code de 
reference de chacun des programmes d'applica- 
tions susceptible d'etre charge dans une portion de 
la zone des applications, sont inscrits au fur et a 
mesure du chargement desdits programmes et en 
utilisant une desdites routines fonctionnelles, en ce 
que le circuit de controle d'adressage est agence 
pour inhiber les commandes d'ecriture et de lec - 
ture de la memoire programmable pour des 
adresses qui se situent a I'exterieur de I'intervalle 
defini par les valeurs limites de debut et de fin 
d'une application designee prealablement sur les 
acces d'entree - sortie, limites qui sont memorisees 
dans des registres verrouillables, appeles registres 
de limites tandis que la voie dite d'autorisation 
prioritaire comporte des moyens pour s'affranchir 
de ('inhibition precitee en autorisant I'ecriture et la 
lecture de la zone de repertoire a la condition 
exclusive que ces operations soient effectuees au 
moyen d'une desdites routines fonctionnelles du - 
rant une etape operatoire predeterminee durant 
laquelle les registres contenant les valeurs limites 
sont deverrouilles. 

Ainsi, dans le cas general ou un programme 
d'application est deja charge dans la carte et ap - 
pele par I'intermediaire les moyens d'acces 
entree - sortie, un protocole standard de recon - 
naissance de I'utilisation prevu parmi les routines 
fonctionnelles est execute. Apres quoi, une autre 
routine commande une recherche dans la table 
repertoire, les valeurs limites d'adresse corres - 
pondant au programme d'application demande, 



identifie dans ladite table par son code de refe- 
rence, et ces valeurs sont chargees dans les re - 
gistres de limites, deverrouilles durant cette etape 
initiale de fonctionnement. 

5 Le programme d'application demande est en - 

suite lance et simultanement, les registres de li - 
mites sont verrouilles de sorte que les demandes 
d'acces en ecriture ou en lecture qui designeraient 
la memoire programmable en dehors de la zone 

w d'adresses comprise entre les valeurs limites me - 
morisees, resteront sans effet, par exemple jusqu'a 
ce que le microcircuit soit mis hors tension. La voie 
d'autorisation prioritaire est en effet refermee. De 
cette maniere, un programme d'application est seul 

75 a pouvoir lire ou ecrire dans la zone d'adresse qui 
lui est affectee et qui a ete fixee lors du charge- 
ment. Les autres programmes d'applications sont 
proteges contre toute tentative de lecture ou 
d'ecriture. 

20 En ce qui concerne le chargement de tout 

nouveau programme d'applications au sein de la 
carte, la securite provenant de I'absence d'interfe- 
rence avec d'autres zones de la memoire pro- 
grammable est assuree par des moyens similaires. 

25 Toute demande de chargement d'un pro- 

gramme d'application sur les moyens d'acces 
entree - sortie fait I'objet d'un protocole standard 
engage en liaison avec une routine fonctionnelle 
specialisee contenue dans la memoire a lecture 

30 seule. Le code de reference de I'application ainsi 
que I'espace memoire requis doivent etre annon - 
ces durant ce protocole. Une routine fonctionnelle 
specifique a pour effet de rechercher dans la table 
repertoire quelle est la premiere adresse disponible 

35 dans la zone des applications (I'adresse qui suit 
I'adresse de fin la plus elevee des programmes 
d'applications deja charges ou la premiere adresse 
de la zone des applications lorsque la carte est 
vierge). L'adresse de fin de I'application demandee 

40 est calculee a partir de la demande d'espace me - 
moire annoncee precedemment. Lorsque cette 
adresse de fin d'application est compatible avec 
I'espace memoire de la zone des applications, les 
valeurs limites d'adresses de debut et de fin ainsi 

45 que le code de reference de ("application sont alors 
inscrits dans la table repertoire et ces valeurs li - 
mites sont chargees dans les registres de limites, 
toujours par le moyen d'une routine fonctionnelle 
preetablie et intangible. 

so Durant ces etapes qui precedent le charge- 

ment, les registres de limites sont deverrouilles, et 
its peuvent le rester durant le chargement du pro- 
gramme d'application qui s'ensuit. La securite re - 
cherchee est neanmoins conservee par le fait que 

55 le chargement du programme d'application est ef- 
fectue sous le controle de I'unite centrale et par 
I'effet d'une routine fonctionnelle preetablie et sOre 
qui exclut toute modification de contenu des re- 
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gistres de limites. 

On peut aussi prevoir un verrouiMage de ces 
registres qui soit commande par programmation 
juste avant le chargement. 

Toute tentative de chargement en dehors des 
limites d'adresses etablies precedemment restera 
sans effet. (-'operation de chargement peut etre 
completee, si on le juge necessaire, par une routi - 
ne de verification des donnees chargees, une ve - 
rification de signature, un test de parite...etc... mais 
de telles operations n'auront pas pour effet d'ac - 
croTtre de maniere significative la securite de 
fonctionnement du microcircuit selon 1'invention. 

La voie d'autorisation prioritaire peut etre 
commandee de differentes manieres en appliquant 
des conditions logiques appropriees et en fonction 
du deroulement des etapes operatoires qui suivent 
la mise sous tension du microcircuit. 

Toutefois, selon un mode de mise en oeuvre 
prefere de I'invention, qui offre toute garantie du 
point de vue de la securite, le microcircuit se 
caracterise en ce qu'il comporte une bascule bis - 
table, placee dans un premier etat exclusivement 
lors d'une mise sous tension du microcircuit, puis 
placee dans un deuxieme etat oppose au premier, 
des qu'un compteur ordinal associe a I'unite cen - 
trale, contient une valeur d'adresse comprise dans 
I'espace d'adressage de la memoire programma- 
ble, et en ce que cette bascule bistable delivre un 
signal de verrouillage/deverrouillage pour la com - 
mande de verrouillage des registres de limites et 
pour la commande de la voie d'autorisation priori - 
taire. 

Du fait qu'il est lie au compteur ordinal, le 
signal de verrouillage/deverrouillage fournit un 
moyen inviolable par un programme d'application 
quelconque pour le verrouillage des registres de 
limites et de la voie d'autorisation prioritaire, bien 
que la bascule bistable reste par sa nature un 
element reversible dans le temps. 

Comme les routines fonctionnelles qui ont pour 
objet de lire et/ou ecrire dans la table repertoire 
sont inscrites dans la memoire a lecture seule, le 
compteur ordinal pointe cette memoire pour les 
executer pas a pas. 

II suffit done de placer I'execution de ces rou - 
tines dans des etapes operatoires qui precedent 
toute execution de programme inscrit dans la me - 
moire programmable. La voie d'autorisation priori - 
taire est encore ouverte tant qu'il s'agit de routines 
executees sous le controle de I'unite centrale. Des 
que le compteur ordinal sera charge d'une adresse 
designant la memoire programmable, le signal de 
verrouillage/deverrouillage sera aussitot place dans 
son etat realisant le blocage, verrouillant les regis- 
tres de limites et interdisant faeces a la table 
repertoire. 



En pratique ceci peut avantageusement etre 
realise dans un microcircuit caracterise en ce que 
le circuit de controle d'adressage comporte une 
porte OU dite de validation, dont la sortie com - 
5 mande la transmission des signaux d'ecriture et de 
lecture de la memoire programmable, en ce qu'une 
premiere entree de cette porte de validation regoit 
un signal resultant de la comparaison de toute 
adresse appelee avec le contenu des registre de 
io limites, et une autre entree par laquelle s'effectue 
I'autorisation prioritaire, regoit un signal resultant 
du produit logique entre le signal de 
verrouillage/deverrouillage et le signal de sortie 
d'un decodeur d'adresses reconnaissant les seules 
is adresses de la zone de repertoire. 

Jusqu'a present on a considere que I'espace 
d'adressage de la memoire programmable etait 
protege dans les conditions precitees relatives a la 
zone de repertoire et la zone des applications. 
20 II peut cependant etre utile de prevoir en outre 

une certaine zone de I'espace d'adressage de la 
memoire programmable qui soit librement acces- 
sible par tout programme d'application, par exem - 
pie pour y placer provisoirement des resultats de 
25 traitement ou pour transmettre des donnees d'une 
application a une autre. 

Sans amoindrir la securite, cette facilite peut 
etre obtenue aisement par une tegere modification 
du circuit de controle d'adressage precedemment 
30 defini. Selon ce mode de mise en oeuvre, un 
microcircuit selon I'invention est caracterise en ce 
qu'une zone dite "publique" est en outre prevue 
dans I'espace d'adressage de la memoire pro - 
grammable, zone qui est distincte de la zone de 
35 repertoire et de la zone des applications, et en ce 
que le circuit de controle d'adressage comporte un 
decodeur d'adresse supplementaire, reconnaissant 
les seules adresses de la zone publique, qui deli - 
vre en sortie un signal applique a une entree 
40 supplementaire de la porte OU de validation. 

La description qui va suivre en regard des 
dessins annexes, donnes a titre d'exemples non 
limitatifs, fera bien comprendre en quoi consiste 
I'invention et comment elle peut etre realisee. 
45 La figure 1 represente un schema de principe 

d'un microcircuit selon I'invention, 
la figure 2 est un schema - bloc d'une portion 
du microcircuit delivrant un signal de 
verrouillage/deverrouillage et, 
so la figure 3 illustre schematiquement I'organisa- 
tion d'une zone particuliere de la memoire pro - 
grammable. 

La figure 1 represente le schema general et 
simplifie d'un microcircuit selon ['invention. 
55 Sur cette figure, et pour plus de clarete, les 

elements qui ne concernent pas directement Tin - 
vention n'ont pas ete represented. Le microcircuit 
comporte une unite centrale 10 de microproces- 
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seur, une memoire vive 1 1 , une memoire a lecture 
seufe 12, une memoire programmable 13 par 
exemple une EEPROM ainsi qu'un circuit de 
controle d'adressage 14 de la memoire program- 
mable 13. Les elements precites sont relies entre 
eux par un systeme de bus 15 vehiculant les 
adresses et les donnees entre ces differents ele - 
ments. Pour plus simplicite le systeme de bus 15 a 
ete represents par une liaison unique bien qu'on 
puisse, selon les cas, utiliser un bus d'adresses et 
un bus de donnees qui soit separes Tun de Tautre. 
Comme cela est de pratique courante, le systeme 
de bus 15 peut encore etre un bus unique sur 
lequel les adresses et les donnees sont multi - 
plexees temporellement. A I'unite centrale 10 sont 
associes des moyens d'acces entree - sortie 16, 
moyens qui sont isoles du systeme de bus 15 de 
maniere a garantir un acces controle par I'unite 
centrale 10 aux zones sensibles du microcircuit 
contenant des donnees a proteger. 

Le circuit de controle d'adressage 14 regoit de 
I'unite centrale 10 un ensemble de liaisons de 
commande 20 parmi lesquelles figurent essentiel - 
lement les commandes d'ecriture W de lecture R 
et d'effacement E lorsqu'elles sont destinees a la 
memoire programmable 13. 

Les commandes de lecture et d'ecriture pour la 
memoire vive 1 1 et les commandes de lecture 
pour la memoire a lecture seule 12, n'ont pas ete 
representees, pour plus de clarte de la figure et du 
fait qu'elles n'interferent pas avec I'invention. Les 
commandes W, R et E destinees a la memoire 
programmable 13 peuvent etre inhibees ou vali - 
dees par le circuit de controle d'adressage 14 dans 
des conditions qui seront expliquees ci-apres. 
Conformement a une pratique en usage dans les 
microcontroleurs, la memoire a lecture seule 12 et 
la memoire programmable 13 font partie d'un 
meme systeme d'adressage tandis que la memoire 
vive 11 est adressee de maniere distincte et ex- 
clusive de I'adressage des memoires 12 et 13. 
Dans i'espace d'adressage de la memoire pro- 
grammable 13 sont delimitees une zone de reper- 
toire ZR et une zone des applications ZA, zones 
qui sont exclusives Tune de ('autre et qui sont 
definies une fois pour toutes par construction. 

Initialement les zones ZR et ZA sont vierges. 
Le microcircuit peut etre charge de programmes 
d'applications independant les uns des autres dans 
un ordre et a des moments qui sont indifferents. 
Au fur et a mesure du chargement desdits pro- 
grammes ceux-ci vont etre inscrits successive - 
ment dans des zones distinctes ZAi , ...ZAj, ...ZA n 
qui sont adjacentes et qui remplissent progressi - 
vement la zone des applications ZA. 

Bien entendu, chaque zone ZA f d'une applica- 
tion determinee peut egalement contenir des don - 
nees (autres que des codes operatoires) qui sont 
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propres a cette application et/ou des emplace- 
ments memoire destines a recevoir des resultats 
de traitement. Selon I'invention la zone de reper- 
toire ZR contient une table repertoire ou les 

5 adresses de debut et de fin ainsi qu'un code de 
reference de chacun des programmes d'applica- 
tions charges dans la zone des applications sont 
inscrits lors du chargement desdits programmes. 
Ainsi, un i eme programme d'apptication charge dans 

10 la zone ZAj entre les adresses ZA H et ZA ih respe - 
ctivement de debut et de fin du programme d'ap - 
plication i a ete charge au cours d'un protocole au 
cours duquel les adresses ZA i( et ZA ih ont ete 
prealablement determinees et chargees dans la 

15 table repertoire de la zone de repertoire ZR ac- 
compagnes d'un code reference du programme 
d'application i. Le protocole de chargement qui 
vient d'etre mentionne utilise une desdites routines 
fonctionnelles inscrites de maniere immuable dans 

20 la memoire a lecture seule 12. 

Le circuit de controle d'adressage 14 est 
agence pour inhiber les commandes de lecture (R) 
d'ecriture (W) et d'effacement (E) destinees a la 
memoire programmable 13 pour des adresses qui 

25 se situent a I'exterieur de I'intervatle defini par les 
valeurs limites de debut ZAn et de fin ZA ih d'une 
application ZAj designee prealablement sur les 
acces d' entree/sortie 16. Pour ce faire, le systeme 
de bus 15 est partage des I'entree dans le circuit 

30 de controle d'adressage 14 en un bus de donnees 

21 et un bus d'adresses 22. Le bus de donnees 21 
est applique en parallele sur deux registres ver- 
rouillables dits registres de limites 25, 26 respec - 
tivement, ou les adresses de debut et de fin^d'une 

35 application en cours de traitement peuvent etre 
memorisees et verrouillees au moyen d'un signal 
de verrouillage/deverrouillage (LOC) provenant 
d'une borne 60. Le bus d'adresses 22, interne au 
circuit de controle d'adressage 14, est applique en 

40 parallele a deux comparateurs 28, 29 respective - 
ment associes aux registres de limites 25 et 26. Le 
comparateur 28 delivre un signal d'autorisation 
lorsque I'adresse courante sur le bus d'adresses 

22 est superieure ou egale a I'adresse de debut 
45 memorisee dans le registre de limites 25 tandis 

que le comparateur 29 delivre un deuxieme signal 
d'autorisation lorsque I'adresse courante sur le bus 
d'adresse 22 est inferieure ou egale a I'adresse 
limite de fin d'application memorisee dans le re - 

so gistre 26. Les deux signaux d'autorisation delivres 
en sortie des comparateurs 28 et 29 sont appliques 
aux deux entrees d'une porte ET 30 dont la sortie 
31 presente un signal d'autorisation lorsque 
I'adresse courante presentee sur le bus d'adresse 

55 22 est comprise dans les limites des adresses 
memorisees dans les registres 25 et 26. Le signal 
d'autorisation present a la sortie 31 de la porte 30 
est applique via une porte OU 32, dite de valida- 

5 
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tion, a Tune des entrees de trois portes ET 35, 36, 
37 dont I'autre entree de chacune d'elie regoit 
respectivement les commandes de lecture (R) 
ecriture (W) et d'effacement (E). Ces commandes 
ne sont done transmises a la memoire program - 
mable 13 que lorsque les portes ET 35, 36, 37 sont 
passantes e'est-a-dire lorsque I'adresse cou - 
rante presente sur le bus d'adresses 22 est com - 
prise ou egale aux limites d'adresses memorisees 
dans les registres 25 et 26 et au contraire ces 
commandes sont inhibees dans le cas ou I'adresse 
courante est exterieure a ces valeurs limites. 

La porte OU 32 constitue une partie de ce qui 
a ete appele precedemment voie d'autorisation 
prioritaire, du fait qu'elle comporte une deuxieme 
entree 40 sur laquelle est applique un signal d'au - 
torisation durant une etape operatoire predetermi - 
nee qui suit toute mise sous tension du microcir- 
cuit. 

Pour realiser ladite voie d'autorisation priori - 
taire, le signal de verrouillage/deverrouillage 
(LOC) est inverse par un inverseur 41 et applique a 
une des deux entrees d'une porte ET 42. Sur 
I'autre entree de cette porte ET 42 est applique le 
signal de sortie d'un decodeur d'adresses 43 re- 
connaissant les seules adresses de la zone de 
repertoire (ZR) et fournissant a la porte ET 42 un 
signal d'autorisation lorsque I'adresse courante 
presentee sur le bus d'adresses 22 est comprise 
dans I'espace d'adressage de la zone de repertoire 
(ZR). La porte ET 42 effectue ainsi le produit 
logique entre le signal de 

verrouillage/deverrouillage (LOC) et le signal de 
sortie du decodeur d'adresses 43 pour fournir un 
signal d'autorisation prioritaire a Tentree 40 de la 
porte de validation 32. Le decodeur d'adresses 43 
qui reconnart uniquement des adresses de la zone 
de repertoire (ZR) de la memoire programmable 13 
peut etre d'un type tres simple lorsque le nombre 
d'octets de la zone de repertoire (ZR) peut s'ex- 
primer par une puissance entiere de deux telle 
qu'une valeur de 256 octets ou 512 octets etc. A 
titre d'exemple, la zone de repertoire peut avoir 
une adresse de debut exprimee en hexadecimal 
par la valeur 8000 et I'adresse de fin de cette zone 
par I'adresse hexadecimale 80FF. 

Le microcircuit represents a la figure 1 com - 
porte encore une disposition optionnelle selon la- 
quelle une zone dite "publique" ZB est prevue 
dans I'espace d'adressage de la memoire pro- 
grammable 13, zone qui est distincte de la zone de 
repertoire ZR et de la zone des applications ZA et 
que Ton a fait figurer a titre d'exemple entre les 
zones ZR et ZA et adjacente a celles-ci. Du fait 
que Ton a prevu un acces inconditionnel a cette 
zone publique ZP, la porte de validation 32 com - 
porte une troisieme entree 50 par laquelle est 
applique un signal de validation provenant d'un 



BN8DOCID: <£P__JK40086A1JU> 



decodeur d'adresses 51 similaire au decodeur 
d'adresses 43 a I'exception pres qu'il ne reconnait 
que les seules adresses de la zone publique ZP de 
la memoire programmable 13. 
5 Ainsi que cela a deja ete mentionne, le signal 

de verrouillage/deverrouillage (LOC) est place dans 
un etat de deverrouillage (LOC = 0) durant une 
etape operatoire predetermined qui suit toute mise 
sous tension du microcircuit. II peut etre genere 

10 par tous systemes logiques convenables permet- 
tant d'autoriser le chargement des registres de 
limites 25 et 26 et de debloquer la porte ET 42 
pour permettre la lecture et/ou I'ecriture de la table 
repertoire situee dans la zone de repertoires ZR. 

15 Selon un mode de mise en oeuvre de I'inven - 

tion particulierement avantageux pour la securite 
elevee qu'il procure, le signal de 
verrouillage/deverrouillage (LOC) est produit en 
liaison avec le contenu d'un compteur ordinal tel 

20 qu'il est generalement connu et associe a une 
unite centrale de microprocesseur. 

On se reporte maintenant a la figure 2 pour la 
description de cette portion du microcircuit. 

Sur cette figure, on a represents un compteur 

25 ordinal 55 qui fait partie de I'unite centrale 10 et 
qui permet I'execution pas a pas de routines 
fonctionnelles contenues dans la memoire a lecture 
seule 12. Cette disposition est par ailleurs classi - 
que dans tous les microcontroleurs ou micropro- 

30 cesseurs et ne necessite pas, de ce fait, une 
description detaillee. Le compteur ordinal 55 est 
relie a un decodeur 56, 57 qui actionne a sa sortie, 
via une porte OU 66 une bascule bistable 58, par 
exemple de type RS, lorsque le contenu du 

35 compteur ordinal 55 depasse une certaine valeur 
d'adresse qui dans I'exemple illustre a pour limite 
la valeur hexadecimale 7FFF. Cette limite 
d'adresse correspond au cas ou la memoire pro - 
grammable a son adresse la plus basse exprimee 

40 en hexadecimal par la valeur 8000. Une routine 
fonctionnelle, par ailleurs classique en matiere de 
microcontroleur, effectue la remise a zero d'un 
certain nombre de registre et dans le cas precis, 
applique un signal de remise a zero de la bascule 

45 bistable 58 sur son entree de remise a zero 59. La 
bascule bistable 58 delivre en definitive le signal 
de verrouillage/deverrouillage (LOC) sur la borne 
60 representee egalement a la figure 1, a I'entree 
du circuit de controle d'adressage 14. 

so A la suite d'une mise sous tension du micro - 

circuit, et tant que I'unite centrale 10 execute les 
routines fonctionnelles contenues dans la memoire 
a lecture seule 12, le compteur ordinal 55 designe 
des adresses de programme qui sont relatives a 

55 cette meme memoire a lecture seule et la bascule 
bistable 58 delivre un signal de deverrouillage 
(LOC = 0). La table de repertoire peut etre lue ou 
ecrite sous le controle de I'unite centrale 10 et les 
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registres de limites 25, 26 peuvent etre charges 
par cette meme unite centrale. Au contraire, des 
lors qu'un programme d'application est appele (de 
sorte que I'adresse contenue dans le compteur 
ordinal 55 depasse necessairement I'adresse 
hexadecimale 7FFF, donnee comme limite dans 
I'exemple) la bascule bistable 58 est placee dans 
I'etat oppose au premier etat et delivre un signal 
de verrouillage sur la borne 60 (LOC = 1). Les 
registres de limites 25 et 26 ainsi que (a voie 
d'autorisation prioritaire seront desormais verrouil - 
les jusqu'a la prochaine mise hors tension du mi - 
crocircuit. Comme on le voit cette disposition offre 
toute securite pour garantir une absence d'interfe - 
rence entre les differents programmes duplica- 
tions susceptibles d'etre charges dans la zone des 
applications ZA. 

La porte OU 66 permet egalement une variante 
de fonctionnement selon laquelle le signal de ver - 
rouillage (LOC = 1) peut etre produit par une 
routine specifique contenue dans la memoire ROM 
12, et done meme si le contenu du compteur n'a 
pas encore depasse la valeur limite de 7FFF, La 
routine fonctionnelle prevue a cet effet impose a 
I'unite centrale 10 d'emettre un signal de com - 
mande sur une liaison 67 qui est appliquee a une 
deuxieme entree de la porte OU 66. On peut done 
ainsi emettre un signal de verrouillage par pro- 
grammation qui subsistera jusqu'a la prochaine 
remise a zero. Cette disposition permet d'accroltre 
encore la securite pendant le chargement d'un 
nouveau programme d'application et pendant 
I'execution d'une application qui ne ferait appel 
qu'a des routines contenues dans la memoire ROM 
12 et dont la zone ZAj reservee dans la memoire 
programmable ne contiendrait que des donnees (et 
aucun code operatoire). 

A I'aide de la figure 3, on va expliquer succin - 
tement comment la zone de repertoire ZR de la 
memoire programmable 13 peut §tre organisee. La 
figure 3 se refere par ailleurs a un exemple dont 
les valeurs sont purement arbitraires et n'ont pas 
d'autre but que de rendre les explications plus 
claires. 

On suppose que la zone repertoire de la me - 
moire programmable 13 commence a I'adresse 
hexadecimale 8000 et finit a I'adresse 80FF. Dans 
cette zone d'un volume de 256 octets, on peut 
prevoir, si on le desire, une portion designee par 
ZID destinee a recevoir des donnees d'identifica - 
tion de la carte, du proprietaire de celle-ci et des 
cles. En dehors de la zone d'identification ZID se 
situe la table de repertoire TR proprement dite qui 
debute a I'adresse INI et s'etend jusqu'a I'adresse 
hexadecimale 80FF. Comme tndique sur la figure, 
la table repertoire TR contient les inscriptions 
successives d'un premier programme charge, dont 
le code de reference est appele "PR-APP-A", 
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d'une longueur de 350 octets, dont I'adresse 
hexadecimale de debut d'execution de programme 
est egale a 8200 ainsi que I'adresse de debut de 
zone, et I'adresse de fin de zone egale a 835D, 

5 puis un programme reference "PR-APP-B" 
d'une longueur de 250 octets, ayant pour adresse 
de debut d'execution de programme la valeur 
hexadecimale 8365, pour I'adresse de debut de 
zone, 835E pour I'adresse de fin 8457, et enfin un 

10 programme reference "PR-APP-C", d'une lon- 
gueur de 180 octets, ayant pour adresse de debut 
d'execution de programme la valeur hexadecimale 
8460 pour I'adresse de debut de zone, 8458 et 
pour adresse de fin la valeur 850C. En effet, les 

15 adresses de debut d'execution de programme, 
comme I'indique cet exemple, ne coincident pas 
necessairement avec I'adresse de debut de zone 
allouee au meme programme, mais elles sont ne - 
cessairement comprises dans ladite zone allouee. 

20 On va decrire tout d'abord le cas ou un pro- 

gramme d'application deja charge dans la carte est 
appele sur les moyens d'acces d'entree/sortie. 

Toute demande d'execution d'un programme 
d'application fait I'objet d'une procedure qui peut 

25 se decomposer en 5 etapes principales : 

- une etape d'initialisation qui peut inclure une 
procedure d'identification de la carte et son 
utilisateur, 

- une procedure de demande de I'application 
30 annoncee sur les moyens d'entree - sortie, 

- une procedure de recherche dans la table de 
repertoire TR pour determiner si I'application 
demandee existe, et dans ('affirmative, le 
chargement des donnees specifiques de 

35 I'application prelevees dans cette table, 

- le chargement des registres de limites, 

- et enfin ('execution proprement dite du pro- 
gramme d'application demande. 

Des la mise sous tension du microcircuit, la bas - 
40 cule bistable 58 est remise a zero en meme temps 
qu'un certain nombre de registres et notamment le 
compteur ordinal 55. Apres un eventuel protocole 
de reconnaissance mettant en jeu des donnees 
d'identification contenues dans la portion d'identi - 
45 fication ZID de la zone repertoire ZR, un pro- 
gramme d'application par exemple celui reference 
"PR - APP - B" est appele. 

Sous I'effet d'une routine preetablie, I'unite centrale 
10 effectue une recherche dans la table repertoire 

so TR de maniere a determiner si un tel programme 
d'application est present. Dans I'affirmative les va - 
leurs d'adresse de debut et de fin de ce program - 
me d'application, dans I'exemple les adresses 
hexadecimales 835E et 8457 respectivement, sont 

55 prelevees dans la table de repertoire TR et toujours 
sous I'effet d'une routine preetablie ces valeurs 
limites sont chargees dans les registres des limites 
25 et 26 respectivement. Jusqu'a present le fonc - 
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tionnement du microcircuit n'a fait appel qu'a des 
routines situees dans la memoire a lecture seule 
12 de sorte que le compteur ordinal n'a jamais 
franchi la limite des adresses designant la memoire 
programmable 13 soit dans notre exemple une 
adresse superieure a la valeur hexadecimale 7FFF. 
Dans I'etape operatoire qui suit et qui consiste a 
executer le programme appele, le compteur ordinal 
55 est charge avec Tadresse de debut d'execution 
du programme d'application appele, par exemple 
Tadresse hexadeciame 8365. Ceci entratne un 
changement d'etat de la bascule bistable 58 et 
procure sur la borne 60 un signal de verrouillage 
(LOC = 1). Ce signal a pour effet de verrouiller les 
registres de limites 25 et 26 et de bloquer la voie 
d'autorisation prioritaire formee par la branche 
comportant Tinverseur 41 , la porte ET 42 et Ten - 
tree 40 de la porte de validation 32. Desormais les 
operations d'ecriture, de lecture et d'effacement de 
la memoire programmable ne peuvent plus etre 
executees que dans la seule portion comprise dans 
les limites de debut et de fin du programme appele 
ou dans la zone publique ZP. Get acces selectif va 
persister jusqu'a la mise hors tension du microcir - 
cuit- Les operations d'ecriture et de lecture dans la 
zone dite publique ZP restent possibles au moyen 
du signal d'autorisation present sur Tentree 50 de 
la porte de validation 32 et provenant du decodeur 
d'adresse 51 qui reconnart les adresses corres - 
pondant a cette zone ZP. 

On en vient maintenant a decrire le fonction - 
nement du microcircuit dans le cas ou un pro- 
gramme d'application doit etre charge dans la 
memoire programmable 13. Des la mise sous ten - 
sion du microcircuit, une etape d'initialisation est 
engagee qui est essentiellement similaire a celle 
deja mentionnee pour ('execution d'un programme 
d'application. Dans une seconde etape, et sous le 
controle d'une routine fonctionnelle preetablie, le 
code de reference du programme a charger est 
annonce sur les entrees - sorties ainsi que le vo- 
lume de memoire necessaire a ce programme ex - 
prime par exemple en nombre d'octets. Dans une 
troisieme etape operatoire, et egalement sous I'ef - 
fet d'une routine fonctionnelle preetablie, une re - 
cherche est effectuee dans la table repertoire TR 
contenue dans la zone de repertoire ZR de ma - 
niere a determiner si le programme demande a 
deja ete charge et sinon quelle est la derniere 
adresse limite de fin de programme inscrite dans la 
table. Cette adresse correspond egalement a 
I'adresse occupee la plus elevee de la zone ZA 
puisque les programmes ont ete charges succes - 
sivement a des adresses croissantes. Dans 
['exemple il s'agit de la valeur hexadecimale 850C. 
La meme routine fonctionnelle determine d'une 
part la valeur d'adresse qui suit immediatement 
c'est-a-dire Tadresse hexadecimale 850D qui 
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sera prevue comme valeur limite de debut du 
nouveau programme a charger et calcule d'autre 
part quelle sera I'adresse de fin de programme a 
charger compte tenu du volume de memoire an - 

5 nonce dans la seconde etape. Dans une quatrieme 
etape, Tunite centrale effectue un test pour deter- 
miner si I'adresse de fin de programme ainsi cal- 
culee est compatible avec I'adresse la plus elevee 
de la zone des applications ZA, puis sous I'effet 

70 d'une routine preetablie, les valeurs limites de de- 
but et de fin de programme ainsi determinees sont 
chargees dans les registres de limites 25 et 26. Du 
fait que jusqu'a present Tunite centrale a effectue 
des routines fonctionnelles situees dans la me - 

75 moire a lecture seule 12, le compteur ordinal n'a 
jamais franchi la limite des valeurs d'adresse qui 
concernent la memoire programmable 13. Ainsi le 
signal de verrouillage/deverrouillage est dans son 
etat de deverrouillage (LOC = 0) ce qui a permis 

20 le chargement des registres des limites 25 et 26 
ainsi que la lecture de la table de repertoire au 
moyen de la voie d'autorisation prioritaire 41, 42 et 
32. Dans une cinquieme etape et sous I'effet d'une 
routine fonctionnelle, Tunite centrale 10 complete la 

25 table repertoire de la zone de repertoire ZR en 
inscrivant a la suite des references deja presentes, 
le code de reference, les valeurs limites d'adresses 
de debut et de fin precedemment determinees et 
qui concernent le programme d'application en voie 

30 de chargement, ainsi que Tadresse de debut 
d'execution de ce programme. 

Une sixieme etape operatoire, qui suit, 
concerne essentiellement le chargement dudit 
programme, chargement qui ne peut etre accompli 

35 qu'a Tinterieur des limites fixees par les valeurs 
d'adresses de debut et de fin memorisees dans les 
registres des limites 25 et 26. Pendant ce charge - 
ment les registres de limites 25 et 26 peuvent ne 
pas etre verrouilles (LOC = 0) mais lesdits regis - 

40 tres effectuent le controle des operations d'ecriture 
de la meme maniere que s'ils avaient ete verrouil- 
les. La securite est neanmoins maintenue du fait 
que le chargement est execute sous le controle de 
Tunite centrale 10 par Teffet d'une routine fonc- 

45 tionnelle qui ne peut etre modifiee par un utilisa- 
teur. Toutefois, il est egalement possible d'activer 
la bascule 58 par programmation au moyen d'un 
signal transmis par la liaison 67 a la porte OU 66. 
Dans ce cas les registres de limites peuvent etre 

so verrouilles lors du chargement. Toute tentative de 
chargement d'un programme d'application d'une 
longueur superieure au volume de memoire an - 
nonce restera inefficace par Teffet du controle 
exerce par les registres de limites 25 et 26 et de la 

55 porte ET 30. 

Si on le desire Tetape de chargement du pro - 
gramme peut etre suivie par une verification des 
donnees chargees, une verification de signature 
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finale, un test de parite, et.... II est aise de detecter 
une tentative de chargement d'un programme de 
longueur superieure a la longueur annoncee du fait 
que la ou les dernieres donnees presentees au 
chargement ne sont pas en fait enregistrees dans 
la memoire programmable de sorte qu'une verifi - 
cation de ces donnees finales revele la tentative 
d'un chargement abustf qu'il soit accidentel ou 
frauduleux. 

En se referant a nouveau a ia figure 1, un 
dispositif additionnel pour la signalisation d'une 
anomalie de fonctionnement va maintenant etre 
decrit. Ce dispositif additionnel comporte une porte 
ET 62 a deux entrees, une porte OU 63 a 3 
entrees et un inverseur 64. 

L'inverseur 64 recoit en entree ie signal de 
sortie de la porte de validation 32, et le transmet 
apres inversion, a une entree de la porte ET 62. 

La porte OU 63 a sa sortie connectee a I'autre 
entree de la porte ET 62 et regoit en entree les 
trois signaux de commande R, W, E destines a la 
memoire programmable 13, en formant ainsi la 
somme logique de ces signaux de commande. 

Lorsque Tune de ces operations est demandee, 
le signal en sortie de la porte OU 63 est a I'etat 
haut. Simultanement, si aucune des conditions 
d'autorisation n'est realisee, ce qui produit un si - 
gnal a I'etat bas en sortie de la porte OU 32, la 
porte ET 62 est alors activee et produit en sortie 
un signal renvoye a I'unite centrale 10, par exem - 
pie un signal d'interruption (INT = 1). 

Ainsi, dans le cas d'utilisation d'une interrup- 
tion, une anomalie de fonctionnement et plus par- 
ticulierement une demande non autorisee d'acces 
a la memoire programmable 13 aboutira a une 
interruption de fonctionnement du microcircuit 
(interruption non masquable) et on peut, si on le 
desire, produire un message d'avertissement sur le 
terminal d'exploitation de la carte. 

Le signal INT qui est produit en cas d'anomalie 
peut etre utilise pour operer toute modification 
desirable du fonctionnement du microcircuit : par 
exemple invalider le programme qui a produit 
Panomalie, voire invalider totalement le fonction - 
nement de la carte. 

Une consequence avantageuse de I'invention 
est que seules les routines fonctionnelles incrites 
dans la memoire a lecture seule devront etre ex - 
tensivement testees et approuvees alors que les 
programmes duplications pourront etre crees par 
diverses entites, sous leur propre responsabilite, et 
sans risque d'interference indue entre les applica- 
tions. 

Le microcircuit selon ('invention offre done une 
parfaite securite pour une utilisation de carte a 
puce multi - applications. 



Revendications 

1. Microcircuit pour carte a puce comprenant 
entre -autres : des moyens d'acces entree - 

5 sortie, au moins une memoire qui est pro- 

grammable et accessible par un espace 
d'adressage a adresses consecutives, un cir- 
cuit de controle d'adressage de cette memoire 
programmable determinant soit une inhibition, 

w soit une validation des commandes d'ecriture 

et/ou de lecture par la comparaison de 
I'adresse demandee avec deux valeurs limites 
de debut et de fin d'une zone particuliere 
d'adresses, limites qui sont memorisees au 

15 sein du circuit de controle d'adressage lequel 

circuit comporte egalement une vote d'autori - 
sation prioritaire permettant de s'affranchir 
temporairement de ladite inhibition dans des 
circonstances predetermines et particulieres, 

20 caracterise en ce que, en vue d'un chargement 

et d'une exploitation de programmes d'appli - 
cations independants les uns des autres, le 
microcircuit est muni d'une unite centrale de 
microprocesseur, d'une memoire a lecture 

25 seule (ROM) contenant notamment des routi - 

nes fonctionnelles exclusivement executables 
par I'unite centrale et sous sa dependance, en 
ce que dans I'espace d'adressage de la me - 
moire programmable sont delimitees une zone 

30 dite de repertoire et une zone dite des appli - 

cations, lesquelles zones sont exclusives Tune 
de I'autre, en ce que la zone de repertoire 
contient une table repertoire ou les adresses 
de debut et de fin ainsi qu'un code de refe - 

35 rence de chacun des programmes d'applica- 

tions susceptible d'etre charge dans une por- 
tion de la zone des applications, sont inscrits 
au fur et a mesure du chargement desdits 
programmes et en utilisant une desdites rou - 

40 tines fonctionnelles, en ce que le circuit de 

controle d'adressage est agence pour inhiber 
les commandes d'ecriture et de lecture de la 
memoire programmable pour des adresses qui 
se situent a I'exterieur de I'intervalle defini par 

45 les valeurs limites de debut et de fin d'une 

application designee prealablement sur les 
acces d'entree - sortie, limites qui sont me - 
morisees dans des registres verrouillables, 
appeles registres de limites, tandis que la voie 

50 dite d'autorisation prioritaire comporte des 

moyens pour s'affranchir de I'inhibition preci - 
tee en autorisant I'ecriture et la lecture de la 
zone de repertoire a la condition exclusive que 
ces operations soient effectuees au moyen 

55 d'une desdites routines fonctionnelles durant 

une etape operatoire predeterminee durant 
laquelle les registres contenant les valeurs li - 
mites sont deverrouilles. 
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2. Microcircuit selon la revendication 1, caracte- lecture, d'ecriture et defacement, a la sortie 
rise en ce qu'il comporte une bascule bistable, d'une porte OU additionnelle. 

placee dans un premier etat exclusivement lors 
d'une mise sous tension du microcircuit, puis 
placee dans un deuxieme etat oppose au 5 
premier des qu'un compteur ordinal associe a 
I'unite centrale, contient une valeur d'adresse 
comprise dans I'espace d'adressage de la 
memoire programmable, et en ce que cette 
bascule bistable delivre un signal de w 
verrouillage/deverrouillage pour la commande 
de verrouillage des registres de limites et pour 
la commande de la voie d'autorisation priori - 
taire. 

75 

3. Microcircuit selon la revendication 2, caracte - 
rise en ce que ladite bascule bistable peut 
egalement etre placee dans ledit deuxieme 
etat par un signal de commande delivre par 
I'unite centrale sous I'effet d'une routine tone- 20 
tionnelle prevue a cet effet. 

4. Microcircuit selon Tune des revendications 1 a 
3, caracterise en ce que le circuit de controle 
d'adressage comporte une porte OU dite de 25 
validation, dont la sortie commande la tran- 
smission des signaux d'ecriture et de lecture 

de la memoire programmable, en ce qu'une 
premiere entree de cette porte de validation 
regoit un signal resultant de la comparaison de 30 
toute adresse appelee avec le contenu des 
registres de limites, et une autre entree par 
laquelle s'effectue I'autorisation prioritaire, re- 
goit un signal resultant du produit logique entre 
le signal de verrouillage/deverrouillage et le 35 
signal de sortie d'un decodeur d'adresses re - 
connaissant les seules adresses de la zone de 
repertoire. 

5. Microcircuit selon la revendication 4, caracte - 40 
rise en ce qu'une zone dite "publique" est en 
outre prevue dans I'espace d'adressage de la 
memoire programmable, zone qui est distincte 

de la zone de repertoire et de la zone des 
application, et en ce que le circuit de controle 45 
d'adressage comporte un decodeur d'adresse 
supplemental reconnaissant les seules 
adresses de la zone publique, qui delivre en 
sortie un signal applique a une entree sup- 
plementaire de la porte OU de validation. 50 

6. Microcircuit selon Tune des revendications 4 
ou 5, caracterise en ce qu'un signal de de- 
tection d'anomatie (INT) est produit en sortie 
d'une porte ET additionnelle dont une pre- 55 
miere entree regoit le signal issu de la porte 

de validation, et une deuxieme entree regoit la 
somme logique des signaux de commande de 

10 
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PROCEDE DE STOCKAGE DE DONNEES DANS UNE MEMOIRE REINSCRIPTIBLE DE CARTE A PUCE. 

(57) ce procede de stockage consiste a ajouter, aux fi- 

chiers elementaires de longueurs fixes de types transparent ' 2 
(5) ou d'enregistrement (4) prevus par la norme ISO 7816- 
4, des fichiers elementaires de longueurs variables (7) dont 
la capacite est toujours adaptee a la taille des enregistre- 
ments qu ils stockent, et a gerer ce nouveau type de fichier 
avec des micro-instructions respectant ie formalisme de la 
norme ISO 7816-4 et appartenant a la classe des instruc- 
tions proprietaire. Grace a ce nouveau type de fichier ele- 
mentaire de longueur variable, il est possible d'envisager de 
nouvelles cartes a puce respectant la norme ISO 7816-4 et 
mettant en ceuvre des techniques de compression de don- 
nees au niveau du stockage des donnees, ce qui est parti- 
culierement interessant compte tenu des capacites de 
stockage de donnees lirnitees d'une carte a puce. 



0E VOCKAGE 
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La pr£sente invention concerne le stockage de donates dans 
une carte £ puce d microprocesseur. 

Les cartes S puce sont g£n£ralement des cartes du format 
5 d'une carte de credit ou des jetons munis d'un microcircuit eiectronique, 
d base de memoires et d'un microcontr6leur, agenc6s pour permettre le 
d6roulement d'une transaction, par exemple bancaire ou de sante. Elles 
communiquent avec leur environnement au moyen de lecteurs avec 
lesquels elles £changent des messages et repondent d une norme ISO 
10 7816-4. Pour assurer le d6roulement d'une transaction, elles ont besoin 
de conserver et de mettre d jour un certain nombre d'informations dans 
une m^moire embarqu6e reprogrammable dite EEPROM (Electrically 
Erasable Programmable Read Only Memory en langue anglo-saxonne). 

Jusqu'd present, le stockage de donnees dans I'EEPROM 
15 d'une carte d puce est organise par la norme ISO 7816-4 en trois 
niveaux de fichiers : 

- un premier niveau dit fichier principal (Main File en langue 
anglo-saxonne) constitu6 de la partie accessible de I'espace de la 
memoire EEPROM, pourvu d'un en-tete de definition et d'en-tetes de 

20 rep6rage des fichiers de deuxi6me niveau qu'il contient; 

- un deuxi6me niveau de fichiers repertoire (Dedicated File en 
langue anglo-saxonne) pourvus chacun d'un en-tete de definition et 
d'en-tetes de rep6rage des fichiers de troisieme niveau qu'il contient, et 

- un troisieme niveau de fichiers dit eiementaires (Elementary 
25 File en langue anglo-saxonne) qui sont de deux types : soit de type 

transparent (Transparent File en langue anglo-saxonne), les donn6es des 
enregistrements n'etant pas structures au sein du fichier, I'adressage 
en 6criture et lecture 6tant Iaiss6 d la charge du programme applicatif 
contrdlant la transaction se d6roulant dans la carte £ puce, soit de type 
30 enregistrement (Record File en langue anglo-saxonne), les donn6es etant 
stock6es par blocs de tailles fixes g6r6s par le systeme d'exploitation 
(Operating System en langue anglo-saxonne) du microcontroleur de la 
carte £ puce. 

Avec un systeme de stockage de donnees en m6moire 
35 EEPROM de carte d puce tel qu'il est r6gi par la norme ISO 7816-4, le 
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programme applicatif contrdlant la transaction se deroulant dans la carte 
a puce doit connaTtre les tailles des blocs de donnees qu'il se propose de 
memoriser dans la mtmoire EEPROM de la carte a puce car les deux 
types de fichiers 6lementaires admis, ou sont effectivement stockees les 
5 donnees, sont de longueurs fixes. Cette limitation empeche de recourir a 
la compression de donnees au sein de la carte a puce, car, dans ce cas, 
le programme applicatif contrdlant la transaction se deroulant dans la 
carte a puce ne maTtrise plus la longueur des blocs de donnees apres 
compression qui seront effectivement mtmorists. 

10 La P n§sente invention a pour but d'eviter cette limitation en 

creant un nouveau type de fichier de troisieme niveau dit fichier 
elementaire de longueur variable (Record Variable File en langue anglo- 
saxonne) ge>6 par des instructions propri6taires de la norme ISO 781 6-4, 
cela pour garder une compatibility ascendante avec cette norme. 

15 Elle a pour objet un proc6d6 de stockage de donn6es dans une 

mtmoire rtinscriptible de carte a puce consistant a stocker les donnees 
au moins en partie. dans des fichiers tlementaires de longueurs variables 
composts chacun d'une chaine de longueur variable de domaines de 
longueurs fixes et de faibles capacites individuelles de la mtmoire 

20 rtinscriptible, ladite chaTne ayant ses domaines reptrts au moyen d'une 
table d'allocation de domaines tvoluant en fonction du nombre de 
donnees effectivement stockees. 

Avantageusement, lesdits fichiers elementaires 
d'enregistrements de longueurs variables font partie de fichiers 

25 repertoire plus grands, de type variable, contenant leurs tables 
d'allocation de domaines qui sont constitutes chacune d'un en-t§te 
place dans une zone de gestion du fichier repertoire note et localisant le 
debut de chaTne, et de liens places en debut ou en fin de chaque 
domaine identifiant I'appartenance du domaine concerne a une chaTne, 

30 c'est-a-dire son occupation, et localisant le domaine suivant dans la 
chaTne. 

Avantageusement, lesdits fichiers 6l6mentaires de longueurs 
variables cohabitent avec des fichiers 6l6mentaires de longueurs fixes au 
sein de fichiers repertoire distincts et sont ger6s par un systeme 
35 d'exploitation repondant a des commandes constitutes de plusieurs 
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champs successifs : un champ de classes ^instructions, un champs 
^instructions et un champ de parametres, la classe d' instructions 
permettant de distinguer un fichier repertoire de type variable contenant 
des fichiers de longueurs variables, des fichiers repertoire de type fixe 

5 contenant des fichiers de longueurs fixes afin que chaque fichier 
eiementaire soit g6r6 selon son genre, par le systeme d'exploitation soit 
seul, soit sous la d6pendance d'un programme applicatif intervenant d 
un niveau sup6rieur. 

D'autres caract6ristiques et avantages de I'invention 

10 ressortiront de la description ci-apres d'un mode de realisation donn6 d 
titre d'exemple. Cette description sera faite en regard du dessin dans 
lequel : 

- une figure 1 illustre de manure sch6matique un plan 
d'occupation d'une memoire morte r6inscriptible de carte £ puce tel qu'il 

15 r6sulte d'un proc6d6 de stockage de donn6es sur carte £ puce selon 
Pinvention, compatible de manure ascendante avec la norme ISO 7816- 
4, et 

- une figure 2 detaille la constitution d'un fichier repertoire de 
type variable apparaissant dans la figure 1 . 

20 Selon la norme ISO 7816-4, le stockage de donnees dans une 

memoire r6inscriptible de type EEPROM de carte a puce se fait d Taide 
d'un systeme de fichiers organise en trois niveaux : 

- un premier niveau constitu6 d'un fichier principal "Main File 
MF" 2 occupant toute la partie accessible 1 de I'espace memoire de la 

25 memoire EEPROM avec une zone de stockage 20 compiet6e par une 
zone de gestion 21, 

- un deuxieme niveau de fichiers repertoire "Dedicated file DF" 
3 avec 6galement une zone de stockage 30 compl6t6e par une zone de 
gestion 31. Ces fichiers repertoire DF 3 occupent la zone de stockage 

30 20 du fichier principal MF 2 avec, dans la zone de gestion 21 du fichier 
principal 2, des en-tfites repertoriant et situant les fichiers repertoire DF 
3 au sein du fichier principal 2 (adresses des debuts de fichiers 
repertoire, tailles des fichiers de repertoire, etc.), et 

- un troisieme niveau de fichiers eiementaires "Elementary File 
35 EF" 4, 5 occupant les zones de stockage 30 des fichiers repertoire DF 3 
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avec, dans la zone de gestion 31 des fichiers repertoire DF 3 qui les 
hebergent, des en-t§tes r6pertoriant et situant les fichiers 6l6mentaires 
EF 4, 5 au sein des fichiers repertoire DF 3 (types des fichiers 
£l6mentaires, adresses des debuts des fichiers eiementaires EF 4, 5, 
5 tailles des fichiers eiementaires, etc.). 

Toujours selon la norme ISO 7816-4, les fichiers eiementaires 
sont de deux types : les fichiers eiementaires de tailles fixes dits 
d'enregistrement "Record EF" 4 dans lesquels les donn6es sont stock6es 
par blocs de tailles fixes et les fichiers eiementaires dit transparents 

10 "Transparent EF* 5 6galement de tailles fixes, dans lesquels les donn6es 
ne sont pas structures, Tadressage relatif en ecriture et lecture etant 
Iaiss6 d la charge du programme applicatif contr6lant le d6roulement 
d'une transaction dans la carte d puce. 

Avec un tel systdme de stockage ne comportant que des 

15 fichiers eiementaires de type d'enregistrement 4 ou transparent 5, le 
programme applicatif contrdlant le d6roulement d'une transaction d 
I'aide d'une carte d puce doit connaTtre la longueur des blocs de 
donn£es d stocker dans la carte. Cela 6te tout intent aux traitements de 
compression de donn6es mis en oeuvre au niveau inf6rieur du systfeme 

20 d'exploitation car le programme applicatif contrdlant le d6roulement 
d'une transaction ignore le r6sultat d'une compression au niveau du 
systeme d'exploitation et ne peut en tenir compte pour economiser de la 
place lors des inscriptions en m£moire dans la carte d puce. Pourtant, la 
compression de donn6es au niveau du systeme d'exploitation semble 

25 particulterement indiqu6e pour une carte d puce en raison des limitations 
des capacit6s de stockage de donn£es de cette derniere. Pour remedier 
d cette limitation, on propose de cr6er un nouveau type de fichier 
£l6mentaire de longueur variable et de I'ajouter aux types de fichiers 
eiementaires existants de longueurs fixes tout en continuant £ respecter 

30 la norme ISO 7816-4 pour maintenir une compatibilite ascendante entre 
cartes £ puce. 

Le nouveau type de fichier eiementaire de longueur variable 
VREF 7 est base sur la constitution d'une chaine de longueur variable de 
domaines eiementaires 8 de faible capacity unitaire et de longueurs fixes 
35 se partageant la zone de stockage 60 d'un fichier repertoire 6 d'un 
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nouveau type dit fichier repertoire variable VDF 6 cree pour I'occasion, 
dont la structure est d6tailiee a la figure 2. 

Ce fichier repertoire variable VDF 6 est distingue des fichiers 
repertoire classiques DF 3 par un identificateur specifique inscrit dans 
5 I'en-tete qui lui est reserve dans la zone de gestion 21 du fichier 
principal MF 2. II presente, comme les fichiers repertoire classiques DF 3 
une zone de stockage 60 completee par une zone de gestion 61 . 

La zone de stockage 60 d'un fichier repertoire variable VDF 6 
est partagee en domaines elementaires 8 de meme longueur et de faible 
10 capacite et peut contenir un nombre variable de fichiers de longueurs 
variables VREF 7. Ces domaines elementaires. par exemple des multiples 
de 16 octets, pr6sentent, en debut ou en fin, une plage de un ou deux 
octets exclue du stockage de donnees et reservee a des liens destines 
au chaTnage. Ces liens donnent I'etat d'occupation ou de non-occupation 
15 de chaque domaine elementaire ainsi que I'adresse du domaine 
elementaire suivant, lorsque le domaine eUSmentaire considere fait partie 
d'une chaTne formant un fichier elementaire de longueur variable VREF 7 
et qu'il n'est pas le dernier de la chaTne, le domaine elementaire suivant 
n'etant pas necessairement contigue. Les liens d'un domaine elementaire 
sont constitues, par exemple, par un nombre prenant la valeur 0 pour 
signifier la non-occupation du domaine considere, la valeur d'une 
adresse de domaine reperant le prochain domaine avec lequel le domaine 
consider^ est chaTne, ou une valeur particuliere superieure aux adresses 
des domaines signifiant la fin d'une chaTne. 
2 5 La zone de gestion 61 d'un fichier repertoire variable VDF 6 

contient des en-tetes 610, 611 de fichiers elementaires de longueurs 
variables VREF 7 renfermant principalement I'adresse de debut de la 
chaTne de domaines elementaires 8 de la zone de stockage 60 affectee 
au fichier 6l6mentaire de longueur variable considere. 
30 La creation d'un fichier repertoire variable VDF 6 se manifeste 

par : 

- I'ecriture dans la zone de gestion 21 du fichier principal MF 2 
d'un en-tete affecte a ce fichier repertoire variable, I'identifiant et lui 
reservant un certain emplacement dans la zone de stockage 20 du 



20 
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fichier principal MF 2. Get entfite est celui d6crit par la norme ISO 7816- 
4 mais son type devient type DF variable, 

- le partage de ['emplacement reserve en une zone de gestion 
61 et une zone de stockage 60, 

5 - Inscription dans la nouvelle zone de gestion cr6e 61 d'un 

certain nombre de caracteristiques du nouveau fichier repertoire variable 
dont la taille du repertoire des en-tfites de fichiers 6l6mentaires de 
longueurs variables, un indicateur global d'effacement, la taille de ses 
domaines eiementaires, I'adresse du premier domaine eiementaire, etc., 
10 et 

- le formatage en domaines eiementaires de la nouvelle zone 
de stockage 60 avec initialisation des liens. 

Une fois qu'un fichier repertoire variable VDF 6 existe, la 
creation d'un fichier eiementaire de longueur variable se manifeste par : 

!5 - Identification du fichier par affectation d'un en-tete dans la 

zone de gestion 61 du fichier repertoire variable VDF 6 consid6r6, avec 
un identifiant "id-file" normalise ISO 7816-4 et le reperage du premier 
domaine 6l6mentaire libre trouv6 dans la zone de stockage en vue de lui 
fitre affecte, le positionnement d'un indicateur d'effacement et 

20 - recriture des donn6es affect6es au fichier en commengant 

par le premier domaine eiementaire libre rep6r6 puis en d6bordant sur 
d'autres domaines libres jusqu'd epuisement des donnees & inscrire, 
avec, a chaque saut de domaine eiementaire, I'inscription dans les liens 
du domaine eiementaire que Ton vient de quitter de I'adresse du suivant 

25 et la mise d jour dans les liens du domaine eiementaire suivant de 
I'identificateur d'occupation. 

On cr6e ainsi un fichier eiementaire de longueur variable de 
longueur adaptee d chaque fois, d la quantite precise de donn6es d 
stocker par une mise en chaTne plus ou moins longue de domaines 

30 eiementaires de faibles capacit6s. 

Dans le cas d'un fichier classique REF ou TEF de longueur fixe, 
le nombre d'enregistrements, c'est-d-dire d'6critures partielles du fichier 
est fixe une fois pour toutes, la creation du fichier impliquant la 
reservation d'une capacit6 m6moire non n6cessairement utilis6e 

35 immediatement qui devient indisponible pour la creation d'autres fichiers. 
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Ce n'est plus le cas avec un fichier de longueur variable VREF qui 
n'occupe que la capacit6 m6moire strictement n6cessaire aux 
enregistrements qu'il renferme et qui laisse libre la m6moire inutilis6e 
pour d'autres fichiers. 
5 La gestion des fichiers 6l6mentaires transparents TEF 5, 

d'enregistrements classiques REF 4 ou i longueurs variables VREF 7, 
c'est-d-dire leurs creations, inscriptions, lectures, effacements, 
suppressions, se fait, de manure classique au moyen de routines du 
syst^me d'exploitation du microcontrdleur de la carte & puce appetees 

10 par Tinterm6diaire de Tinterpr6teur de commandes du systdme 
d'exploitation au moyen de commandes respectant le formalisme de la 
norme ISO 7816-4, c'est-S-dire avec une 6criture compos6e de plusieurs 
champs successifs : un champ de classes destructions, un champ 
destructions et un champ de param6tres. De pr6f6rence, on utilise les 

15 commandes habituelles de la norme ISO 7816-4 pour la gestion des 
fichiers 6l6mentaires transparents TEF et d'enregistrement REF, et les 
mfimes commandes avec un champ de classe d' instructions propri6taire 
pour les fichiers 6l6mentaires de longueurs variables. GrSce d cela, on 
obtient une compatibilit6 ascendante avec les cartes d puce respectant 

20 la norme ISO 7816-4 et ne connaissant que les deux types habituels de 
fichiers 6l6mentaires que sont les fichiers 6l6mentaires transparents TEF 
et les fichiers 6l6mentaires d'enregistrement REF. 

Bien 6videmment, T6criture ou I'effacement d'un fichier 
6l6mentaire de longueur variable respecte les regies de s6curit6 

25 habituelles. 

Une creation de fichier ou une 6criture n'est r6alis6e que s'il y 
a la place n6cessaire £ Taction d faire. Une 6criture commenc6e doit se 
terminer pour §tre valid<§e. Cela s'obtient, conform6ment £ la norme 
7816-4 au moyen d'un bit auxiliaire d'activit6 plac6 dans Ten-tdte 

30 concernant le fichier, mis d un avant Taction envisag6e et remis a z6ro 
apr^s la fin de Taction. Si le bit d'activit6 est maintenu d un aprSs une 
action, le fichier est d6clar6 invalide et Ton ne peut plus y acc6der. Enfin 
une taille maximale d'enregistrement est pr^vue dans la zone de gestion 
du fichier r6pertoire variable hote VDF de manure d surveiller les 

35 transferts de donn6es. 



BN80OCID: <FR_27M7*6A1JLj> 




De la mfime fagon, un effacement commence doit §tre achev6 
pour fitre validg. Cela s'obtient au moyen d'un bit d'effacement plac6 
dans l*en-t§te concernant le fichier, mis d un avant I'effacement qui 
consiste & r6initialiser les liens des domaines 6l6mentaires appartenant £ 
la chaTne constituant le fichier, puis remis & z6ro en fin d'action juste 
avant la suppression de I'en-tete de fichier. Si une action d'effacement 
de fichier est interrompue par retrait inopportun de la carte d puce de 
son lecteur, le bit defacement le signale et permet t'achdvement de 
Taction interrompue d'effacement en prgalable d toute utilisation 
ultgrieure de la carte d puce. 

Bien 6videment, I'invention n'est pas Iimit6e au mode de 
r6alisation d6crit mais s'6tend d toutes les variantes qui sont & la port6e 
de I'homme du metier. Les liens des domaines 6l6mentaires qui 
constituent une sorte de table d'allocation des domaines peuvent etre 
d6port6s en dehors de la zone de stockage du fichier r6pertoire de type 
variable h6te et r6unis dans une plage de la zone de gestion de ce 
dernier. 
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RE VENDICATIONS 

1 . Proc6d6 de stockage de donn6es dans une m6moire 
r6inscriptible de carte d puce caract6ris6 en ce qu'il consiste a stocker 

5 les donn6es au moins en partie, dans des fichiers eiementaires de 
longueurs variables (7) composes chacun d'une chaTne de longueur 
variable de domaines de longueurs fixes (8) et de faibles capacit6s 
individuelles de la m6moire r6inscriptible, ladite chaTne ayant ses 
domaines (8) rep6r6s au moyen d'une table d'allocation de domaines 
10 6voluant en fonction du nombre des donn6es effectivement stock6es. 

2. Proc6d6 selon la revendication 1, caract6rise en ce que les 
fichiers eiementaires de longueurs variables (7) sont localises dans la 
memoire r6inscriptible au sein de fichiers repertoire plus grands, de type 

15 variable (6) contenant leurs domaines (8) et leurs tables d'allocation de 
domaines. 

3. Proc6d6 selon la revendication 2, caract6ris6 en ce qu'une 
table d'allocation de domaines comporte un en-tfite (610) place dans une 

20 zone de gestion (61) du fichier repertoire variable (6) h6te localisant 
I'adresse du domaine (8) de d6but de chaTne dans le fichier repertoire 
variable (6) hote, et des liens places dans des emplacements r6serv6s 
dans chaque domaine du fichier repertoire variable (6) hote identifiant 
I'appartenance de chaque domaine & une chaTne. 

25 

4. Procede selon la revendication 1, caract6ris6 en ce que 
lesdits domaines (8) ont une capacite egale ou multiple de 16 octets. 

5. Proc6d6 selon la revendication 3, caract6ris6 en ce que 
30 lesdits liens occupent entre un et deux octets dans chaque domaine (8). 

6. Proc6d6 selon la revendication 3, caracteris6 en ce que 
lesdits liens d'un domaine (8) renferment un nombre prenant la valeur 0 
pour signifier la non occupation du domaine consid6r6, la valeur d'une 

35 adresse de domaine reperant le prochain domaine avec lequel le domaine 
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consid6r6 est chaTne, ou une valeur particuliere sup6rieure aux adresses 
des domaines signifiant la fin d'une chaTne. 

7. Proc6d6 selon la revendication 1, caract6ris6 en ce que la 
5 gestion des dits fichiers eiementaires de longueurs variables se fait au 

moyen de routines d'un systeme d'exploitation appeiees par 
I'intermediaire de commandes specifiques comprises par I' interpreter de 
commandes dudit systeme d'exploitation et reprenant dans leurs 
formulations un champ de classe destructions, un champ destructions 
10 et un champ de parametres. 

8. Proc6d6 selon la revendication 1 , caract6ris6 en ce qu'il 
consiste d stocker les donn6es en partie, dans des fichiers eiementaires 
de longueurs variables (7) composes chacun d'une chaine de longueur 

15 variable de domaines de longueurs fixes (8) et de faibles capacit6s de la 
m6moire r6inscriptible, ladite chaTne ayant ses domaines (8) rep6r6s au 
moyen d'une table d'allocation de domaines 6voluant en fonction des 
variations du nombre de donn6es effectivement stock6es, et en partie 
dans des fichiers eiementaires de longueurs fixes (4, 5). 

20 

9. Proc6d6 selon la revendication 8, caract6ris6 en ce que les 
fichiers eiementaires de longueurs variables (7) et les fichiers 
eiementaires de longueurs fixes (4, 5) sont localises dans la m6moire 
r6inscriptible dans des fichiers repertoire distincts {3, 6) de plus grandes 

25 capacit6s, des fichiers repertoire variables (6) contenant les domaines 
(8) et les tables d'allocation de domaines des fichiers eiementaires de 
longueurs variables et des fichiers repertoire fixes (3) contenant les 
fichiers 6l6mentaires de longueurs fixes (4, 5) et des en-t§tes identifiant 
les fichiers eiementaires de longueurs fixes par les adresses de leurs 

30 debuts et par les mentions de leurs capacit6s. 
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© The card type storage medium comprises a 
storage unit (2) holding a file area (21) including a 
dedicated file (24) served to hold PINs and file 
names of data files (22) stored in a directory area 
(23) in the storage unit (2) such that the PIN and file 
name of each data file (22) correspond to each 
other. The card type storage medium holds control 
information (232) including a master PIN for the 
dedicated file (24) in the directory area (23) in the 
storage unit (2). A recovery information unit (25) is 
additionally provided in a data file (22) in the file 
area (21) in the storage unit (2), which holds recov- 
ery information obtained every time the data file (22) 
is updated. This card type storage medium is ap- 
plicable to, for example, an IC card. 
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BACKGROUND OF THE INVENTION 

(1) Field of the Invention 

The present invention relates to a card type 
storage medium such as an IC card used as a 
cashless card, an identification (I.D.) card, a health 
management card, a municipal corporation card, 
etc. and an issuing apparatus issuing such card 
type storage medium. 

(2) Description of the Related Art 

A card type storage medium, for example, an 
IC card having an integrated circuit therein has 
been widely spread in recent years. 

A file controlling program is set into the IC card 
to retain data therein so that the data to be pro- 
cessed by an external application program that is 
incorporated within a terminal apparatus, a host 
computer or the like can be managed in each file 
as as a unit. 

Referring to FIG. 17, a typical IC card 100 
comprises a terminal (a contact or a data commu- 
nication mechanism) 110, a storage 120 and a 
control unit 130. 

When the IC card 100 is inserted into an IC 
card reader/writer (not shown) of a terminal appara- 
tus, a host computer or the like, the terminal 110 is 
brought into contact with a terminal of the IC card 
reader/writer to send and receive a signal. 

The storage 120 has a file area in which data 
to be processed by each various application pro- 
gram is retained in each file, and a directory area 
123 which retains control information about each 
data file 122 held in the file area 121. 

The control unit (MPU: micro processor unit) 
130 is to manage the data retained in the file area 
121 in the storage unit 120 on the basis of the 
control information stored in the directory area 123 
in the storage unit 120. 

Some IC card has an electric source therein, 
and some IC card needs to be supplied an electric 
energy from a terminal apparatus or a host com- 
puter by being inserted into the terminal apparatus 
or the host computer. In the latter case, a non- 
volatile storage such as an EEPROM is used as the 
storage unit 120. 

Such IC card 100 is used as a cashless card, 
an ID card, a health management card, a municipal 
corporation card, etc. 

In department stores, super markets, etc., a 
POS system has been accomplished with employ- 
ment of a cashless card such as a prepaid card or 
a credit card for sales promotion. If the IC card is 
used as such cashless card, it is essential to pro- 
vide a function for advance payment or future pay- 
ment to the cashless card, for example, the prepaid 
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card or the credit card. 

If the IC card 100 is used as an ID card to 
improve convenience in, for example, an intelligent 
building, the IC card needs to have a function to 
5 hold data about entrance and retrieval to and from 
the room, attendance of employees, etc. in the data 
files 122. 

If the IC card 100 is used as a health manage- 
ment card in a hospital, a fitness facility or the like 
w to improve convenience, the IC card 100 has to 
hold various data such as appointment, carte, re- 
sults of examination and measurement for the man- 
agement. 

Likewise, if the IC card 100 is used as a 
75 municipal corporation card to improve use of public 
facilities or administrative service, the IC card holds 
data about appointment of the facilities, automatic 
issue of various applications as data files 122 
therein. 

20 The IC card 100 shown in FIG. 17 has pre- 

determined personal identification number 
(hereinafter, referred as PIN) for every data file 122 
retained in the storage unit 120 in order to re- 
inforce the security of the data retained in the IC 

25 card 100. Each of the PIN is held as control in- 
formation in the directory area 123 in the storage 
unit 120. 

In order to gain an access from an external 
application or the like, only when a PIN sent with 

30 the access is in coincidence with the PIN retained 
in the directory area 123 in the storage unit 120, 
the control unit 130 allows reading or updating of 
the data retained in the data file 122. 

The PIN for each data file 122 is set when the 

35 IC card 100 is issued by a card issuing apparatus 
(not shown). Management of the PIN set by the 
card issuing apparatus, which varies from each 
other depending on a card owner, is carried out by 
another host computer (not shown) different from 

40 the card issuing apparatus. 

If a person owing the IC card accidentally 
forgets a PIN of his or her own IC card 100, the 
PIN is read out from the host computer managing 
the PIN through a terminal apparatus which can 

45 gain an access to the host computer to verify the 
PIN. 

The host computer manages the PINS of the 
owners of all issued IC cards (card type storage 
media) 100. In addition, it is sometimes necessary 

50 to set plural different PINs to every data files in 
each IC card. The host computer therefore requires 
a large area in the storage to manage the PINs. 
The management of the PINs is, therefore, quite 
complex and troublesome to the entire IC card 

55 system. Moreover, in the event of an accident, use 
of a terminal apparatus accessible to the host com- 
puter is indispensable to verify the IC card. Such 
verification of the IC card causes inconvenience to 
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users of the IC card. 

Meanwhile, a card type storage medium, which 
is used ahead of an IC card, for example, a mag- 
netic card, is operated in a mode where the stored 
data is unchangeable as personal identification in- 
formation (ID). An IC card 100 as above is used in 
a mode where stored data (for example, informa- 
tion about an amount of money) is variable, as 
represented by a cashless card. 

In such mode of use, the IC card is used as a 
cashless card. In the event of an accident such as 
system down, power-source break-down, pull-out of 
the IC card 100 in the course of an updating 
process to receive money or for account settle- 
ment, a failure may develop in data in the data file 
122 in the IC card 100. At present, it is impossible 
to repair or restore (data recovery) such failure in 
data within the IC card 100. 

To cope with such event, a presently con- 
ducted technique is to set an area of 1 byte re- 
ferred as BCC (block check character) in each 
record of data held in the data file 122 of the IC 
card 100, adjust the BCC such that a bit number in 
each record becomes an even number or an odd 
number and write the BCC in each record to make 
a check on the bit number in each record as to 
whether the bit number is an even number or an 
odd number upon reading out the data. For in- 
stance, in the case where the BCC is so adjusted 
that the bit number in each record is an even 
number, if the bit number in the record is an odd 
number upon checking, some action is taken upon 
check-out such as to prohibit the IC card 100 from 
being used. 

It is, however, impossible to detect a system 
failure as conflicting data developed between the 
records by such BCC check, as shown in FIG. 18. 

Namely, in the case where data writing and 
updating are executed a plurality of times (three 
times in FIG. 18) as one unit of process in the 
course from an open to close of the IC card 100 by 
the application program 200 of an external terminal 
apparatus or the like, if a system failure occurred 
before the second updating after the first record 
was updated, it is impossible to detect the system 
failure by the BCC since no conflict occurred in 
data as a record unit held in the IC card 100. 

Since the BCC checks a number of bits by a 
record unit, if 2 bits (an even bit) are left out, or the 
number of bits are the same but their represented 
value are different (for example, "0111" and 
"101 1 ", if three bits), it is impossible to detect such 
failure as conflicting data. 

In consequence, for example, as shown in FIG. 
19, if a system failure occurred while one record is 
being written into the IC card 100, causing a situ- 
ation that there exist an updated part and an unup- 
dated part within the same record, there is possibil- 
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ity that such failure cannot be detected. 

To solve the above problem, it is necessary to 
provide a BCC in each record in the file area 121 
of the storage unit 120. This results in that a large 

5 area is required for the BCCs, if a large volume of 
data need to be stored in the card. 

As stated above, there has been developed no 
technique to repair and restore data failure (data 
recovery) within the IC card 100. If such repair and 

w restore are handled on the side of the apparatus, 
the host computer needs to manage recovery in- 
formation (restoration data and the like) of all IC 
cards every time the IC card is used. As a result, it 
is necessary to execute the recovery on data con- 

75 flict by (1) communicating with the host computer 
in real time to restore the data, or (2) prohibiting 
the IC card from being used, and issuing a new 
card. 

To cope with the above problem, the conven- 
20 tional IC card has disadvantages such that a con- 
figuration of the IC card system become difficult, a 
large area is required to store recovery information 
in the storage of the host computer, and manage- 
ment of the entire IC card system becomes quite 
25 complex, as same as the PIN management. Fur- 
ther, to repair and restore the data in the IC card 
100 in the event of a system failure, it is necessary 
to use a terminal apparatus accessible to the host 
computer, or to reissue the IC card. Such data 
30 recovery work is quite troublesome to the card 
user. 

SUMMARY OF THE INVENTION 

35 From the above viewpoint, an object of this 

invention is to provide a card type storage medium 
and a card type storage medium issuing apparatus, 
in which management of PINs heretofore carried 
out by a host computer becomes dispensable, the 

40 PIN management in the entire system is simplified, 
and verification of a PIN in an event of an accident 
is easily and simply carried out so that inconve- 
nience to users may be mitigated upon verification 
of the PIN. 

45 Another object of this invention is to provide a 

card type storage medium which can detect reli- 
ably conflicting data developed due to a system 
failure without using a BCC, and to realize repair 
and restore of the conflicting data developed due 

50 to a system failure by and within the card itself, 
thereby simplifying the apparatus configuration and 
reducing inconvenience to the users upon restoring 
the data. 

The present invention therefore provides a card 
55 type storage medium comprising a storage unit 
having a file area holding data in each file as a unit 
and a directory area holding therein control in- 
formation units each including a PIN of a data file 

3 
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in said file area in said storage unit on the basis of 
said control information units in said directory area 
in said storage unit, said control unit allowing an 
access process on a data file only when a PIN held 
in said control information unit in said directory 
area in said storage unit is in agreement with a PIN 
fed from outside, the improvement comprising a 
dedicated file being set in said file area in said 
storage unit, said dedicated file holding PINs of the 
data files held in said respective control information 
units in said directory area in said storage unit and 
file names of the data files such that the PIN and 
file name of each data file correspond to each 
other, another control information unit being set in 
said directory area in said storage unit, said control 
information unit holding a master PIN of said dedi- 
cated file. 

According to the above card type storage me- 
dium of this invention, a dedicated file is provided 
in a file area in the storage unit to hold data 
including PINs and files names of the respective 
data files. It is, therefore, possible to manage the 
PINs retained in each card type storage medium 
by and within the card type storage medium itself. 
It is also possible to omit PIN management by the 
host computer, largely reducing a burden of the 
PIN management on the entire system. 

As another aspect, the present invention also 
provides a card type storage medium issuing ap- 
paratus issuing the above card type storage me- 
dium comprising the storage unit and the control 
unit, said card type storage medium issuing ap- 
paratus comprising a data file creating means, in 
response to a data file creating command from 
outside, setting a control information unit for a data 
file including a PIN of said data file to create said 
data file in said file area in said storage unit ac- 
cording to said data file creating command, a PIN 
matching means, in response to a data file acces- 
sing command to gain an access to the data file 
created by said data file creating means from the 
outside, making a judgement as to whether the PIN 
of said data file to be accessed according to said 
data file access command held in said control 
information unit in said directory area in said stor- 
age unit is in agreement with a PIN included in 
said data file accessing command supplied from 
the outside, a data file accessing means executing 
an access process on the data file to be accessed 
when said PIN matching means judges that said 
two PINs are in agreement, a dedicated file creat- 
ing means, in response to a dedicated file creating 
command from the outside, setting a control in- 
formation unit for said dedicated file including a 
master PIN for said dedicated file to create said 
dedicated file in said file area in said storage unit 
according to said dedicated file creating command, 
a master PIN matching means, in response to a 



dedicated file access command to gain an access 
to said dedicated file created by said dedicated file 
creating means from the outside, making a judge- 
ment as to whether the master PIN of said dedi- 
5 cated file held in said control information unit in 
said directory area in said storage is in agreement 
with a master PIN included in said dedicated file 
access command supplied form the outside, and a 
dedicated file access means executing an access 
w process on said dedicated file when said master 
PIN matching means makes a judgement that the 
above two master PINs are in agreement, upon 
issuing said IC card, said dedicated file accessing 
means writing the PINs of the data files held in said 
15 respective control information units in said direc- 
tory area in said storage unit into said dedicated . 
file such that the PIN and file name of each data 
file corresponds to each other according to a dedi- 
cated file accessing command supplied from out- 
20 side after said dedicated file creating means cre- 
ated said dedicated file. 

In the above card type storage medium issuing 
apparatus of this invention, upon issuing the IC 
card, said dedicated file creation instructing means 
25 first transfers a dedicated file creating command. 
Said dedicated file access instructing means then 
gener ates a dedicated file access command includ- 
ing data including PINs and file names of the 
respective data files and transfers it to said card 
30 type storage medium, thereby setting a dedicated 
file holding data including the PINs and file names 
of the respective data files such that a PIN and file 
name of each data file correspond to each other in 
the file area in the storage unit of the card type 
35 storage medium. It is, therefore, possible to man- 
age the PINs of each card type storage medium by 
and within the card type storage medium itself. The 
management of the PINs by the host computer 
thus can be omitted, largely reducing a burden to 
40 manage the PIN on entire system. 

The card type storage medium according to 
this invention comprising a storage unit having a 
file area holding data by file therein and a directory 
area holding control information about each data 
45 file in said file area therein and a control unit 
managing data in said area on the basis of said 
control information in said directory area in said 
storage unit, said card type storage medium ex- 
ecuting updating on a data file by said control unit 
so in response to an instruction from outside. A recov- 
ery information unit is additionally provided in the 
data file in said file area in said storage unit, into 
which recovery information obtained every time 
said control unit updates the data file is written. A 
55 start serial number obtained when a data file is 
opened and an end serial number obtained when 
the data file is closed are written into said recovery 
information unit as recovery information. 
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As still another aspect, the card type storage 
medium of this invention comprising a storage unit 
and a control unit, said control unit comprising a 
data file opening means opening, in response to a 
data file opening instruction supplied form outside, 
a data file in said file area in said storage unit on 
the basis of the control information in a directory 
area in said storage unit after the data file has been 
opened, a data file updating means updating, in 
response to a data fife updating instruction sup- 
plied from the outside, data in a data file opened 
by said data file opening means, and a data file 
closing means closing, in response to a closing 
instruction supplied from the outside, the data file 
opened by said data file opening means after the 
data file has been opened. A recovery information 
unit is additionally provided in the data file in said 
file area in said storage unit, into which recovery 
information obtained every time said control unit 
updates the data file. The control unit further com- 
prises a start serial number obtaining means ob- 
taining a start serial number when said data file 
opening means opens a data file to write it into 
said recovery information unit, and an end serial 
number obtaining means obtaining an end serial 
number every time said data file closing means 
closes a data file to write it into said recovery 
information unit as recovery information. 

According to the card type storage medium 
according to this invention, it is possible to detect 
that a system failure occurred between an open 
and close of a data file, by comparing the start 
serial number with the end serial number held in 
the recovery information unit. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram illustrating an aspect 
of this invention; 

FIG. 2 is a block diagram illustrating another 
aspect of this invention; 

FIG. 3 is a block diagram illustrating still another 
aspect of this invention; 

FIG. 4 is a block diagram illustrating still another 
aspect of this invention; 

FIG. 5 is a block diagram showing a card type 
storage medium and an issuing apparatus is- 
suing the card type storage medium according 
to the first embodiment of this invention; 
FIG. 6 is a block diagram showing a file struc- 
ture in a storage unit of the card type storage 
medium according to the first embodiment; 
FIG. 7 is an illustration of a typical hardware 
configuration of the card type storage medium 
issuing apparatus according to the first embodi- 
ment; 

FIG. 8 is a block diagram showing a card type 
storage medium according to a second embodi- 



ment of this invention; 

FIG. 9 is a block diagram showing a file struc- 
ture in a storage unit of the card type storage 
medium according to the second embodiment; 
5 FIG. 10 is an illustration showing a content of 

data held in a recovery information unit of the 
card type storage medium according to the sec- 
ond embodiment; 

FIG. 1 1 is a flow chart of an operation to obtain 

io recovery information in the card type storage 
medium according to the second embodiment; 
FIG. 12 is a flow chart of an operation to detect 
a system failure and restore data in the card 
type storage medium according to the second 

75 embodiment; 

FIGS. 13A through 13C are illustrations of a 
content of data in the recovery information unit 
in order to explain an operation of the card type 
storage medium according to the second em- 

20 bodiment; 

FIG. 14 is an illustration of a content of data in 
the recovery information unit in order to explain 
the operation of the card type storage medium 
according to the second embodiment; 

25 FIG. 15 is an illustration of a content of data in 

the recovery information unit in order to explain 
the operation of the card type storage medium 
according to the second embodiment; 
FIGS. 16A and 16B are illustrations of a content 

30 of data in the application area and the recovery 
information unit in order to explain the operation 
of the card type storage medium according to 
the second embodiment; 

FIG. 17 is a block diagram showing a configura- 
35 tion of a typical IC card; 

FIG. 18 is an illustration showing a state of data 
stored in an IC card when a system failure 
occurred. 

FIG. 19 is an illustration showing a state of data 
40 stored in an IC card when a system failure 

occurred. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

45 

(1) Description of Aspects of This Invention 

FIG. 1 is a block diagram illustrating an aspect 

of this invention- In FIG. 1, reference numeral 1 
so denotes a card type storage medium, The card 

type storage medium 1 comprises a storage unit 2 

and a control unit 3. 

The storage unit 2 includes a file area 21 

holding data in each file as a unit and a directory 
55 area 23 having a control information unit 231 to 

hold a PIN for each data file 22 in the file area 21 

therein. 
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The control unit 3 is to manage the data files 
22 in the file area 21 in the storage unit 2 on the 
basis of data held in the control information units 
231 in the directory area 23 in the storage unit 2. In 
this card type storage medium 1; only when the 
PIN held in the control information unit 231 in the 
directory area 23 in the storage unit 2 agrees with 
a PIN fed from outside, the control unit 3 permits 
the data files to be accessed. 

In the file area 21 in the storage unit 2 of this 
card type storage medium 1, there is provided a 
dedicated file 24 to hold PINs and file names of the 
data files 22 such that each of the PIN corresponds 
to its file name of the data file 22 that is retained in 
the control information units 231 in the directory 
area 23 in the storage unit 2. Likewise, there is 
provided another control information unit 232 to 
hold a master PIN (i.e., a PIN that only the system 
manager knows) for the dedicated file 24 in the 
director area 23 in the storage unit 2. 

It is possible to encipher the PINs of the data 
files 22 and hold them in the dedicated file 24. 

In the card type storage medium shown in FIG. 
1, the data of the PINs for the respective data files 
22 and the corresponding file names are set in the 
dedicated file 24. The PINs in each card type 
storage medium are therefore managed by and 
within the card type storage medium itself. As a 
result, the management of the PINs by the host 
computer is dispensable. 

The data in the dedicated file 24 cannot be 
read out without an input of the master PIN (that is 
known by only the system manager) held in the 
control information unit 232 in the directory area 
23. 

The enciphered PINs for the respective data files 
22 in the dedicated file 24 can more effectively 
prevent the PINs for the respective data files 22 
from being known by other persons except the 
system manager, if the master PIN gets to be 
known by the other person. 

FIG. 2 is a block diagram illustrating another 
aspect of this invention. In FIG. 2, reference nu- 
meral 10 denotes a card type storage medium. The 
card type storage medium 10 has a similar con- 
figuration to the card type storage medium shown 
in FIG. 1, essentially comprising a storage unit 2 
and a control unit 3. 

The storage unit 2 has, as similar to that shown 
in FIG. 1, a file area 21 retaining data in each file 
as a unit and a directory area 23 including control 
information units 231 each retaining a PIN for a 
data file 22 in the file area 21 therein. 

The control unit 3 is, as also similar to the one 
shown in FIG. 1, to manage the data files 22 in the 
file area 21 in the storage unit 2 on the basis of the 
data held in the control information units 231 in the 
directory area 23 in the storage unit. The control 



unit 3 shown in FIG. 2 is provided with a data file 
creating means 31, a PIN matching means 32, a 
data file accessing means 33, a dedicated file 
creating means 34, a master PIN matching means 
5 35 and a dedicated file accessing means 36. 

When receiving a data file creating command 
from the outside (i.e., a card type storage medium 
issuing apparatus 4 described later), the data file 
creating means 31 sets the control information unit 
io 231 for the data file 22 containing a PIN for the 
data file 22 in response to the data file creating 
command in order to create said data file 22 in the 
file area 21 in the storage unit 2. 

When receiving a data file access command to 
75 gain an access to the data file 22 created by the 
data file creating means 31 from the outside, the 
PIN matching means 32 makes a judgement as to 
W hether a PIN included in the above data file 
accessing command agrees with the PIN of the 
20 data file 22 to be accessed held in the control 
information unit 231 in the directory area 23 in the 
storage unit 2. 

The data file accessing means 33 is to gain an 
access to the data file 22 to be accessed when a 
25 result of the matching carried out by the PIN 
matching means 32 is positive. 

When receiving a dedicated file creating com- 
mand from the outside (i.e., the card type storage 
means issuing apparatus 4 described later), the 
30 dedicated file creating means 34 sets a control 
information unit 232 for a dedicated file 24 includ- 
ing a master PIN (known only by the system man- 
ager) for the dedicated file 24 in the directory area 
23 in the storage unit 2 in response to the dedi- 
35 cated file creating command in order to create the 
dedicated file 24 in the file area 21 in the storage 
unit 2. 

When receiving a dedicated file access com- 
mand to gain an access to the dedicated file 24 

40 created by the dedicated file creating means 34 
from the outside (i.e., the card type storage me- 
dium issuing apparatus 4 described later), the mas- 
ter PIN matching means 35 makes a judgement as 
to whether the master PIN of the dedicated file 24 

45 retained in the control information unit 232 in the 
directory area 23 in the storage unit 2 agrees with 
a master PIN contained in the inputted dedicated 
file access command. 

When a result of the matching between the 

50 above two master PINs carried out by the master 
PIN matching means 35 is positive, the dedicated 
file accessing means 36 allows an access to the 
dedicated file 24. 

Upon issuing the card type storage medium 10 

55 of this invention, the dedicated file creating means 
34, to begin with, creates the dedicated file 24. The 
dedicated file access means 36 next writes PINs of 
the respective data files 22 retained in the control 
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information in the directory area 23 in the storage 
unit 2 into the dedicated file 24 such that each of 
the PIN of the data file 22 corresponds to its file 
name, in response to the dedicated file access 
command supplied from the outside (the card type 
storage medium issuing apparatus 4, described 
later). 

It is possible to encipher the PINs for the data 
files 22 and hold them in the dedicated file 24. 

In FIG. 2, reference numeral 4 denotes the 
card type storage medium issuing apparatus. The 
card type storage medium issuing apparatus 4 
issues the card type storage medium 10 (or a card 
type storage medium 1) as described hereinbefore, 
comprising a data file creation instructing means 
41, a data file access instructing means 42, a 
dedicated file creation instructing means 43 and a 
dedicated file access instructing means 44. 

The data file creation instructing means 41 sets 
a control information unit 231 of the data file 22 
including a PIN for the data file 22 in the directory 
area 23 in the storage unit 2. The data file creation 
instructing means 41 then generates a data file 
creating command including the PIN, and transmit 
the generated data file creating command to the 
card type storage medium 10 (i.e., the data file 
creating means 31) in order to create the data file 
22 in the file area 21 in the storage unit 2. 

The data file access instructing means 42 gen- 
erates a data file access command including a PIN 
for the data file 22 to be accessed, and transmits 
the generated data file accessing command to the 
card type storage medium 10 (i.e., the PIN number 
matching means 32 and the data file access means 
32) in order to get an access to the data file 22 
created in the file area 21 in the storage unit 2. 

The dedicated file creation instructing means 
43 sets the control information unit 232 for the 
dedicated file 24 including a master PIN for the 
dedicated file 24 in the directory area 23 in the 
storage unit 2. The dedicated file creation instruct- 
ing means 43 generates a dedicated file creating 
command including the master PIN, and transmits 
the generated dedicated file creating command to 
the card type storage medium 10 (i.e., the dedi- 
cated file creating means 34) in order to create the 
dedicated file 24 in the file area 21 in the storage 
unit 2. 

The dedicated file access instructing means 44 
generates a dedicated file access command includ- 
ing the master PIN for the dedicated file 24, and 
transmits the generated dedicated file access com- 
mand to the card type storage medium 10 (i.e., the 
master PIN matching means 35 and the dedicated 
file accessing means 36) in order to gain an access 
to the dedicated file 24 created in the file area 21 
in the storage unit 2. 



In the card type storage medium issuing ap- 
paratus 4, the dedicated file creating means 43 
transfers a dedicated file creating instructing com- 
mand to the card type storage medium 10 when 

5 the card type storage medium 10 is issued. There- 
after, the dedicated file access instructing means 
44 generates a dedicated file access command 
including data of file names and PINs of the re- 
spective data files 22, and transfers it to the card 

to type storage medium 10 (i.e., the dedicated file 
access means 36) in order to write the PINs of the 
data files 22 such that the PIN of each data file 22 
corresponds to its file name that is retained in the 
control information unit 231 in the directory area 23 

15 in the storage unit 2. 

It is possible that, upon verification of PINs of- 
the card type storage medium, the dedicated file 
access instructing means 44 of the card type stor- 
age medium issuing apparatus 4 generates a dedi- 

20 cated file accessing command including a master 
PIN, and transfers it to the card type storage me- 
dium 10 (i.e., the master PIN matching means 35 
and the dedicated file accessing means 36) in 
order to read out data from the dedicated file 24 in 

25 the file area 21 in the storage unit 2 in the card 
type storage medium 10 to be verified. 

When the data of the PIN and the file name of 
the data file 22 is read out from the dedicated file 
24 in the card type storage medium 10 in response 

30 to the dedicated file accessing command from the 
dedicated file access instructing means 44 of the 
card type storage medium issuing apparatus 4, the 
data file access instructing means 42 generates a 
data file accessing command including the PIN 

35 read out, and transfers it to the card type storage 
medium 10 (i.e., the PIN matching means 32 and 
the data file access means 33) to give an instruc- 
tion to the card type storage medium 10 to verify 
the correctness of the data file 22 corresponding to 

40 the PIN read out. 

In the case where enciphered PINs of data files 
are held in the dedicated file 24, there are also 
provided an enciphering means enciphering the 
PINs of the data files 22 to be written into the 

45 dedicated file 24 in the card card type storage 
medium 10 by the dedicated file access directing 
means 44, and a decoding means decoding the 
enciphered PINs of the data files 22 read out from 
the dedicated file 24 in the card type storage 

so medium 10 from the dedicated file access instruct- 
ing means 44. 

In the card storage medium 10 set forth above 
in connection with FIG. 2, the data file creating 
means 31 sets a control information unit 231 for 

55 the data file 22 including a PIN inthe directory area 
23 in the storage unit 2 in response to a data file 
creating command from the card type storage 
mdium issuing apparatus 4. 
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When receiving a data file accessing command 
to access a data file 22 created by the data file 
creating means 31 from the outside, the PIN 
matching means 32 makes a judgement as to 
whether the PIN included in the data file accessing 
command agrees with the PIN of the data file 22 
(held in the control information unit 231 in the 
directory area 23) to be accessed. 

When a result of the matching executed by the 
PIN matching means 32 is positive, the data file 
access means 33 allows an access to the data file 
22 to be accessed. 

In the card type storage medium 10, the dedi- 
cated file creating means 34 sets, upon issuing the 
card type storage medium, the control information 
unit 232 for the dedicated file 24 including the 
master PIN (i.e., the PIN known by only the system 
manager) in the directory area 23 in the storage 
unit 2, in response to the dedicated file creating 
command in order to create the dedicated file 24 in 
the file area 21 in the storage unit 2. 

When receiving the dedicated file accessing 
command to gain an access to the dedicated file 
24 created by the dedicated file creating means 34 
from the card type storage medium issuing appara- 
tus 4, the master PIN matching means 35 makes a 
judgement as to whether a master PIN included in 
the dedicated file accessing command agrees with 
the mater PIN (retained in the control information 
unit 232 in the directory area 23) of the dedicated 
file 24. 

When a result of the matching executed by the 
master PIN matching means 35 is positive, the 
dedicated file access means 36 carries out an 
access process (that is, write/read) on the dedi- 
cated file 24. 

When the card type storage medium 10 is 
iussed, the dedicated file accessing means 36 
writes a PIN and a file name of each data file into a 
dedicated file 24 in such a manner that the PIN 
and the file name correspond to each other in 
response to a dedicated file accessing command 
from the card type storage medium issuing appara- 
tus 4 after the dedicated file creating means 34 has 
created the dedicated file 24. 

In the above manner, data of the PIN and the 
file name of each data file 22 is written in the 
dedicated file 24 in the file area 21 in the storage 
unit 2 of the card type storage medium 10. The 
management of the PINs in each card type storage 
medium 10 is carried out by and within the card 
type storage medium 10 itself, management of the 
PINs by the host computer is thus dispensable. 

The data in the dedicated file 24 cannot be 
read out without knowing the master PIN (the PIN 
known by only the system manager) retained in the 
control information unit 232 in the directory area 
23. 



Enciperment of the PINs of the data files 22 
stored in the dedicated file 24 is more effective to 
prevent the PINs of the data files 22 from leaking 
outside as they are, even if the master PIN gets to 
5 be known by another person except the system 
manager. 

The above mentioned card type storage me- 
dium issuing apparatus 4 shown in FIG. 2 issues 
the card type storage medium 10 (or a card type 

w storage medium 1). 

More specifically, the data file creation instruct- 
ing means 41 generates a data file creating com- 
mand including PINs of data files 22, and transfers 
it to the card type storage medium 10 (i.e., the data 

75 file creating means 31) to set the control informa- 
tion unit 231 for the data files 22 including the PINs 
for the respective data files 22 in the directory area 

23 in the storage unit 2, in response to the data file 
creating command so that the data files 22 may be 

20 created in the file area 21 in the storage unit 2. 

The data file access instructing means 42 gen- 
erates a data file accessing command including a 
PIN for a data file 22 to be accessed, and transfers 
it to the card type storage medium 10 (i.e., the PIN 

25 matching means 32 and the data file accessing 
means 32) to perform an access process (i.e., 
write/read) on the data file 22 created in the file 
area 21 in the storage unit 2. 

On the other hand, the dedicated file creation 

30 instructing means 43 generates a dedicated file 
creating command including a master PIN, and 
transfers it to the card type storage medium 10 
(i.e., the dedicated file creating means 34) to set 
the control information unit 232 for the dedicated 

35 file 24 including the master PIN for the dedicated 
file 24 so that the dedicated file 24 is created in the 
file area 21 in the storage unit 2. 

The dedicated file access instructing means 44 
generates a dedicated file accessing command in- 

40 eluding the master PIN for the dedicated file 24, 
and transfers it to the card type storage medium 10 
(i.e., the master PIN matching means 35 and the 
dedicated file access means 36) to perform an 
access process (i.e., write/read) on the dedicated 

45 file 24. 

Upon issuing the card type storage medium 10 
(or the card type storage medium 1), the dedicated 
file creation instructing means 43, to begin with, 
transfers the dedicated file creating command. The 

so dedicated file access instructing means 44 next 
generates a dedicated file accessing command in- 
cluding data of the PINs and the file names of the 
respective data files 22, and transfer it to the card 
type storage medium 10 (i.e., the dedicated file 

55 accessing means 36). 

The data of the PINs and the file names of the 
respective data file 22 is set in the dedicated file 

24 in the file area 21 in the storage unit 2 of the 
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card type storage medium 10. The management of 
the PINs in the card type storage medium 10 is 
carried out by and within each card type storage 
medium 10 itself, the management of the PINs by 
the host computer may thus be omitted. 

The data in the dedicated file 24 cannot be 
read out by a person not knowing the master PIN 
(i.e., the PIN known only by the system manager) 
retained in the control information unit 232 in the 
directory area 23. 

In the event of an accident, the dedicated file 
access instructing means 44 generates a dedicated 
file access command including the master PIN, and 
transfers it to the card type storage medium 10 
(i.e., the master PIN matching means 35 and the 
dedicated file accessing means 36), whereby the 
card type storage medium issuing apparatus 4 can 
read out the data (i.e., the data of the PINs and the 
file names of the respective data files 22) from the 
dedicated file 24 in the file area 21 in the storage 
unit 2 of the card type storage medium 10 to verify 
the PINs of the card type storage medium 10. 

When the data of the PINs and the file names 
of the data files 22 is read out from the dedicated 
file 24 in response to the dedicated file accessing 
command from the dedicated file access instruct- 
ing means 44, the data file access instructing 
means 42 generates a data file accessing com- 
mand including the PIN read out, and transfers it to 
the card type storage medium 10 (i.e., the PIN 
matching means 32 and the data file accessing 
means 33) to verify the correctness of the data file 
22 corresponding to the PIN. 

It is possible to encipher PINs of the data files 
to be written in the dedicated file 24 by the dedi- 
cated file access instructing means 44, and de- 
cipher the enciphered PINs read out from the dedi- 
cated file 24 by the dedicated file access instruct- 
ing means 44. The dedicated file can therefore 
hold the enciphered PINs for the respective data 
files 22. If the master PIN is known by another 
person except the system manager, the enciphered 
PINs of the data files are securely prevented from 
being known as they are. 

According to this invention, since the PINs of 
the data files 22 and their file names are held in 
the dedicated file 24 in the file area 21 in the 
storage unit 2 of the card type storage medium 1 
or 10 in such a manner that the PIN and the file 
name of each data file 22 correspond to each 
other, as stated above. Therefore, each card type 
storage medium 1 or 10 can manage the PINs by 
and within the card type storage medium itself, the 
management of the PINs by the host computer 
becomes thus dispensable and the burden to man- 
age the PINs in the entire system can be largely 
reduced. 



The data in the dedicated file 24 is exhibited to 
be read out without use of the mater PIN known by 
only the system manager. Moreover, the enci- 
phered PINs of the respective data files 22 held in 

5 the dedicated file 24 can be effectively prevented 
from being known as they are by the other person, 
even if the master PIN gets to be known by the 
other person except the system manager. In which 
case, it is impossible to decipher the enciphered 

70 PINs as long as the manner of the enciperment is 
in secret. This can surely prevent the PINs from 
leaking outside, causing no trouble in security, 
even if the card type storage medium 1 or 10 
manages the PINs therein. 

is Also according to this invention, when the card 

type storage medium issuing apparatus 4 issues 
the card type storage medium 1 or 10, the dedi- 
cated file creation instructing means 43 transfers a 
dedicated file creating command, the dedicated file 

20 access instructing means 44 then generates a 
dedicated file accessing command including data 
of the PINs and file names of the respective data 
files 22 to transfer it to the card type storage 
medium 1 or 10, whereby a dedicated file, 24 

25 holding the PINs and the file names of the respec- 
tive data files 22 therein can be set so that the card 
type storage medium 1 or 10 can manage the PIN 
by itself. This can omit the management of the 
PINs by the host computer, largely simplifying the 

30 PIN management in the entire system. The data in 
the dedicated file 24 cannot be read out without the 
master PIN known by only the system manager. 

In order to read out data of the PINs and the 
file names of the data files 22 from the dedicated 

35 file 24 of the card type storage medium 1 or 10, 
the dedicated file access instructing means 44 gen- 
erates a dedicated file accessing command includ- 
ing the master PIN, and transfers it to the card type 
storage medium 1 or 10. In the event of an ac- 

40 cident, it is possible to verify the PINs in the card 
type storage medium 1 or 10, mitigating inconve- 
nience to the user upon verification of the PINs. 

On the verification of a PIN, the data file ac- 
cess instructing means 44 transfers a data file 

45 accessing command to the card type storage me- 
dium in order to verify the PIN read out from the 
dedicated file 24. This process make it possible to 
verify the correctness of the data file 22 corre- 
sponding to the PIN read out, with a high reliability 

so in the PIN verification process. 

The PINs to be written into the dedicated file 
24 by the dedicated file access instructing means 
44 are enciphered by the enciphering means, while 
the enciphered PINs read out from the dedicated 

55 file 24 by the dedicated file access instructing 
means 44 are enciphered by the enciphering 
means, whereby the dedicated file 24 can hold the 
PINs for the respective data file 22 as ciphers. If 
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the master PIN gets to be known by person except 
the system manager, it is possible to prevent the 
PINs of the data files from leaking out as they are. 
So long as the manner of the encipherment does 
not leak out, it is impossible to decipher the PINs. 
This can prevent, with certain, the PINs from leak- 
ing outside, causing no trouble in security, even if 
the card type storage medium 1 or 10 manages 
the PIN therein. 

FIG. 3 is a block diagram showing another 
aspect of this invention. In FIG. 3, reference nu- 
meral 11 denotes a card type storage medium, 
comprising a storage unit 2 and a control unit 5. 

The storage unit 2 has a file area 21 holding 
data by files therein and a directory area 23 hold- 
ing control information about each data file 22 in 
the file area 21 therein. The control unit 5 manages 
data in the file area 21 in the storage unit 2 on the 
basis of the control information in the directory 
area 23 in the storage unit 2. In the card type 
storage medium 11, the control unit 5 updates the 
objective data file 22 when receiving a command 
from outside. 

The card type storage medium 1 1 is addition- 
ally provided a recovery information unit 25 in the 
data file 22 in the file area 21 in the storage unit 2, 
into which recovery information obtained every 
time an updating operation is performed on the 
objective data file 22 by the control unit 5 is 
written. In the recovery information unit 25, there 
are written (1) a start serial number obtained when 
the objective data file 22 is opened, (2) restoration 
data consisting of a record number to be updated 
and unupdated data at the record number obtained 
when the data file is updated, and (3) an end serial 
number obtained when the data file 22 is closed. 

Meanwhile, it is possible to attach check serial 
numbers as recovery information, before and after 
the start serial number, the restoration data and the 
end serial numbers, respectively, in the recovery 
information unit 25. 

If the updating process is performed a plurality 
of times on the same record number in the course 
from an open to close of the objective data file 22, 
the restoration data is not written into the recovery 
information unit 25 after the second updating pro- 
cess and later. 

It is also possible to set information about a 
presence of the recovery information unit 25 in the 
objective data file 22 and information about a rela- 
tive position of the recovery information unit 25 in 
the objective data file 22, if the recovery informa- 
tion unit 25 exists, in the control information unit in 
the directory area 23 in the storage unit 2. 

In the card type storage medium shown in FIG. 
3, (1) a start serial number obtained when an 
objective data file 22 is opened, (2) restoration data 
consisting of a record number to be updated and 



unupdated data at the record number obtained 
when the objective data file 22 is updated, and (3) 
an end serial number obtained when the objective 
data file 22 is closed, are written as recovery 

5 information into the recovery information unit 25 
additionally provided in the data file 22 in the file 
area 21 in the storage unit 2. 

The start serial number in the recovery in- 
formation unit 25 is compared with the end serial 

w number. If a result of the comparison is in dis- 
agreement, it is possible to know from the result an 
occurrence of a system failure between an open 
and close of the objective data file 22, without 
using a BCC. 

15 Moreover, the check serial numbers are at- 

tached before and after the start serial number, the 
restoration data and the end serial numbers, re- 
spectively, in the recovery information unit 25 as 
recovery information. The check serial numbers 
20 attached before and after the start serial number, 
the recovered number and the end serial number 
are compared with each other, respectively. If a 
result of the comparison is in disagreement, it is 
also possible to detect an occurrence of system 
25 failure in the course of writing the recovered data 
or the end serial number into the recovery informa- 
tion unit 25 so as to know the effectivity of each 
data stored in the recovery information unit 25. 

If the same record number is updated plural 
30 times between an open and close of the objective 
data file 22, the restoration data obtained is not 
written into the recovery information unit 25 after 
the second updating process and later. It is there- 
fore possible to always hold a preceding data (data 
35 before the updating) before the open of the data 
file 22 as restoration data at the same record 
number in the recovery information unit 25. 

The above process enables the state inside the 
card type storage medium 11 after an occurrence 
40 of system failure to be effectively recovered to the 
state before the updating process where the sys- 
tem failure occurred. 

By setting information as to the presence of 
the recovery information unit 25 in a data file and 
45 information about a relative position of the recovery 
information unit 25 in the objective data file 22, if 
the recovery information unit 25 exists, in the direc- 
tory area 23 in the storage unit 2, it is possible to 
make a judgement as to whether a predetermined 
so data should be written into the recovery information 
unit 25 or data recovery should be executed on the 
basis of the data stored in the recovery information 
unit 25. 

FIG. 4 is a block diagram showing still another 
55 aspect of this invention. In FIG. 4, reference nu- 
meral 12 denotes a card type storage medium 
corresponding to the second invention. The card 
type storage medium 12, as similar to the card 
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type storage medium 11 shown in FIG. 3, essen- 
tially comprises a storage unit 2 and a control unit 
5. 

The storage unit 2, as similar to the storage 
unit 2 shown in FIG. 3, has a file area 21 holding 
data in each file as a unit, and a directory area 23 
holding control information including PINs for data 
files 22 in the file area 21 therein. In the data file 
22 in the file area 21 in the storage unit 2 of this 
invention, there is additionally provided a recovery 
information unit 25 holding recovery information 
therein obtained every time the control unit 5 ex- 
ecutes an updating operation on the data file 22. 

The control unit 5 manages the data files 22 in 
the files area 21 in the storage unit on the basis of 
the control information in the directory area 23 in 
the storage unit 2, similarly to the one shown in 
FIG. 3. The control unit 5 of this invention includes 
a data file opening means 51, a data file updating 
means 52, a data file closing means 53, a start 
serial number obtaining means 54, a restoration 
data obtaining means 55 and an end serial number 
obtaining means 56. 

When receiving an opening command from the 
outside, the data file opening means 51 opens a 
data file in the file area 21 in the storage unit 2 on 
the basis of the control information stored in the 
directory area 23 in the storage unit 2, in response 
to the opening command. 

When receiving an updating command from 
the outside after the data file 22 has been opened, 
the data file updating means 52 updates data in the 
data file 22 that has been opened by the data file 
opening means 51. 

When receiving a closing command from the 
outside after the data file 22 has been opened, the 
data file closing means 53 closes the data file 22 
that has been opened by the data file opening 
means 51. 

The start serial number obtaining means 54 
obtains a start serial number when the data file 22 
is opened by the data file opening means 51, and 
writes it as recovery information into the recovery 
information unit 25. 

When the data file 22 is updated by the data 
file updating means 52, the restoration data obtain- 
ing means 55 obtains restoration data that is data 
before execution of the updating operation by the 
data file updating means 52, and writes it as recov- 
ery information into the recovery information unit 
25. 

The end serial number obtaining means 56 
obtains an end serial number when the data file 
closing means 53 closes the data file 22, and 
writes it as recovery information into the recovery 
information unit 25. 

Incidentally, it is possible to attach check serial 
numbers as recovery information before and after a 



start serial number, recovery data and end serial 
number, respectively, when the start serial number 
obtaining means 54, the recovery data obtaining 
means 55 and the end serial number obtaining 

5 means 56 obtain the start serial number, the res- 
toration data and the end serial number, respec- 
tively, then write them together into the recovery 
information unit 25. 

It is also possible to provide in the control unit 

w 5 a restoration data initializing means initializing the 
restoration data obtained in the last process stored 
in the recovery information unit 25 before writing 
the new restoration data obtained this time by the 
recovery data obtaining means 55 into the recovery 

is information unit 25. 

When the data file updating means 52 carries 
out updating process a plurality of times on the 
same record number between an open and close 
of the objective data file 22, the recovered data 

20 obtaining means 55 does not write the restoration 
data into the recovery information unit 25 after the 
second updating and later. 

It is also possible to set information about the 
presence of the recovery information unit 25 in 

25 data file 22 and information about a relative posi- 
tion of the recovery information unit 25 in the data 
file 22, if the recovery information unit 25 exists, in 
the control information unit for the data file 22 in 
the directory area 23 in the storage unit 2. 

30 It is also possible to provide a failure detecting 

means in the control unit 5, which detects a failure 
in the last process, on the basis of a start serial 
number, an end serial number and check serial 
numbers attached before and after the start serial 

35 number and the end serial number, respectively, as 
recovery information stored in the recovery infor- 
mation unit 25, by referring to the control informa- 
tion about an objective data file in the directory 
area 23 in the storage unit 2 if the data file 22 has 

40 the recovery information unit 25, in response to an 
opening command from the outside. 

If the check serial numbers attached before 
and after the start serial number are in disagree- 
ment, the failure detecting means judges that a 

45 failure occurred when the data file was opened by 
the data file opening means 51 in the last process. 
When detecting a failure that occured when the 
data file was opened in the last process, the failure 
detecting means outputs a demand to perform 

so once more the last process and a demand to 
restore the start serial number. 

It is possible to provide a start serial number 
restoring means in the control unit 5, which re- 
stores the start serial number stored in the recov- 

55 ery information unit 25 to the one at the time of two 
updating processes earlier in response to the de- 
mand to restore the start serial number from the 
failure detecting means. 
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In the case where the check serial numbers 
attached before and after the start serial number 
are in agreement but the check serial numbers 
attached before and after the end serial numbers 
are in disagreement, the failure detecting means 
judges that a failure occurred when the data file 
was closed by the data file updating means 52 in 
the last process. When detecting that a failure 
occured when the data file was closed in the last 
process, the failure detecting means outputs a de- 
mand to restore the end serial number. 

It is possible to provide an end serial number 
restoring means in the control unit 5, which re- 
stores the end serial number stored in the recovery 
information unit 25 to the one at the time of the last 
process in response to a demand to restore the 
end serial number from the failure detecting 
means. 

In the case where the check serial number 
attached before and after the start serial number 
and the check serial numbers attached before and 
after the end serial numbers are individually in 
agreement but the start serial number and the end 
serial number are in disagreement, the failure de- 
tecting means judges that a failure occurred in the 
course of updating the data file by the data file 
updating means 52 in the last process. When de- 
tecting that a failure occured in the course of 
updating the data file in the last process, the failure 
detecting means outputs a demand to once more 
perform the last process and a demand to restore 
the data in the data file 22. 

It is possible to provide a data restoring means 
in the control unit 5, which restores the data in the 
data file 22 on the basis of the restoration data 
stored in the recovery information unit 25 in re- 
sponse to a demand to restore the data in the data 
file 22 from the failure detecting means. 

The data restoring means comprises a restora- 
tion data effectiveness detecting means which 
makes a judgement that the restoration data is 
effective when the check serial numbers attached 
before and after the restoration data are in agree- 
ment, and a restoration data writing means which, 
when the recovered data effectiveness detecting 
means judges that the restoration data is effective, 
writes said restoration data before the updating as 
data at the record number of said restoration data 
in the data file 22 into the data file 22. 

In the card type storage medium 12 shown in 
FIG. 4, recovery information obtained every time 
the data file 22 is updated according to an instruc- 
tion form the control unit 5 is written in the recov- 
ery information unit 25, which is provided in the 
data file 22 in the file area 21 in the storage unit 2. 

More specifically, a start serial number ob- 
tained by the start serial number obtaining means 
54 when the data file opening means 51 opens the 



data file 22, restoration data consisting of a record 
number to be updated and unupdated data at the 
same record number obtained by the restoration 
data obtaining means 55 when the data file updat- 
5 ing means 52 updates the data file 22, and an end 
serial number obtained by the end serial number 
obtained means 56 when the data file closing 
means 53 closes the data file 22 are written in the 
recovery information unit 25. 
w The start serial number and the end serial 

number in the recovery information unit 25 are 
compared with each other. If the two numbers are 
in disagreement, it means that a system failure 
occurred between an open and close of the data 
15 file 22. It is thus possible to detect a system failure 
without using a BCC. 

When the start serial number obtaining means 
54, the restoration data obtaining means 55 and the 
end serial number obtaining means 56 obtain a 
20 start serial number, restration data and an end 
serial number, respectively, check serial numbers 
are attached before and after the start serial num- 
ber, the restoration data and the end serial number, 
respectively, then written into the recovery informa- 
25 tion unit 25 as recovery information. If the check 
serial numbers of the start serial number, the re- 
covered data and the end serial number are in 
disagreement when compared with each other, it 
means that a system failure occurred while the 
30 start serial number, the recovered data or the end 
serial number are written into the recovery informa- 
tion unit 25 so that it becomes possible to detect a 
system failure and to verify the effectiveness of 
data stored in the recover information unit 25. 
35 Before the restoration data obtained by the 

restoration data obtaining means 56 is written into 
the recovery information unit 25, the restoration 
data obtained in the last process stored in the 
recovery information unit 25 is initialized by the 
40 recovery data initializing means, thereby preventing 
the previously stored restoration data from remain- 
ing in the recovery inforamtion unit by overwriting 
the new restoration data obtained in this process 
when the recovered data is written into the recov- 
45 ery information unit 25, further preventing an erro- 
neous detection of a system failure or the like. 

In the case where the updating process is 
carried out a plurality of times by the data file 
updating means 52 on the same record number 
50 between an open and close of the data file 22, the 
recovered data obtaining means 55 does not write 
the recovered data into the recovery information 
unit 25 after the second updating process and later. 
Whereby, the previous data obtained before the 
55 open of the data file 22 (data before the updating 
process) of the same record number may be al- 
ways held as restoration data in the recovery in- 
formation unit 25. 
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It is possible to restore the state of the card 
type storage medium 12 after a system failure has 
occured to the state before an updating process in 
which the system failure occurred, on the basis of 
the data in the recovery information unit 25. 

By setting information about the presence of 
the recovery information unit 25 and information 
about a relative position of the recovery information 
unit 25 in a data file 22, if the recovery information 
unit 25 exists, in the directory area 23 in the 
storage unit 2, it is possible to make a judgement 
as to whether predetermined data should be written 
into the recovery information unit 25 or data recov- 
ery on the basis of the data in the recovery in- 
formation unit 25 should be performed, only by 
referring to the directory area 23 in the storage unit 
from the control unit 5. 

In response to an opening command from the 
outside, the control information stored in the direc- 
tory area 23 in the storage unit 2 with respect to 
the objective data file 22 is referred to. If the 
objective data file 22 has a recovery information 
unit 25, the failure detecting means provided in the 
control unit 5 checks as to whether a failure oc- 
curred in the last process or not, on the basis of a 
start serial number, an end serial number and 
check serial numbers attached before and after the 
start serial number and the end serial number, 
thereby detecting conflicting data having developed 
due to a system failure without using a BCC. 

If the check serial numbers attached before 
and after the start serial number are in disagree- 
ment, the failure detecting means detects an occur- 
rence of a failure when the data file was opened by 
the data file opening means 51 in the last process. 
When detecting a failure, the failure detecting 
means outputs a demand to execute once more 
the last process and a demand to restore the start 
serial number, thereby appropriately performing 
again the last process that was erroneously termi- 
nated due to the system failure. 

The start serial number recoverying means re- 
stores the start serial number stored in the recov- 
ery information unit 25 to the one at the time of the 
last process so that the state of the recovery in- 
formation unit 25 can be automatically restored to 
the state at the time of two updating process earlier 
within the card type storage medium 12. 

In the case where the check serial numbers 
attached before and after the start serial number 
are in agreement but the check serial numbers 
attached before and after the end serial number are 
in disagreement, the failure detecting means 
judges that a failure occurred when the data file 
closing means closed the data file in the last pro- 
cess. If detecting a failure, the failure detecting 
means outputs a demand to restore the end serial 
numbers to cause the end serial number restoring 



means to restore the end serial number stored in 
the recovery information unit 25 to the one at the 
time of the last process, thereby automatically re- 
store the state of the recovery information unit 25 

5 to the state at the time of the last process within 
the card type storage medium 12. 

In the case where the check serial numbers 
attached before and after the start serial number 
and the check serial numbers attached before and 

w after the end serial number are individually in 
agreement but the start serial number and the end 
serial number are in disagreement, the failure de- 
tecting means judges that a failure occurred during 
the last updating process carried out by the data 

75 file updating means 52. The failure detecting 
means outputs a demand to perform once more 
the last process and a demand to restore the data 
in the data file 22, thereby once again carrying out 
the last process that resulted in unsuccess due to 

20 the system failure. 

The data restoring means restores the data in 
the data file 22 on the basis of the recovered data 
stored in the recovery information unit 25. This 
enables the data file 22 to be automatically re- 

25 stored to the state at the time of the two updating 
processes earlier (a state before the failure oc- 
cured), thereby once more executing the last pro- 
cess appropriately on the data file 22 in the state 
two updating processes earlier. 

30 When the data restoring means restores the 

data, the restoration data writing means writes only 
effective restoration data whose check serial num- 
bers attached before and after the restoration data 
are judged by the restoration data effectiveness 

35 detecting means, thereby enabling data recovery 
without using restoration data in which a system 
failure occured during writing it (that is, data whose 
check serial numbers attached before and after the 
data are in disagreement). 

40 According to this invention, the start serial 

number and the end serial number in the recovery 
information unit 25 are compared with each other in 
the card type storage medium 11 or 12. If the start 
serial number and the end serial number are not in 

45 disagreement, it is thus possible to detect a system 
failure that occurred between an open and close of 
the data file 22. The check serial numbers attached 
before and after each data are also compared with 
each other. If the check serial numbers are in 

50 disagreement, it is thus possible to detect a system 
failure that occurred while a start serial number, 
recovered data or an end serial number are written 
into the recovery information unit 25, whereby the 
effectiveness of each data written in the recovery 

55 information unit 25 can be verified, further conflic- 
ting data developed due to the system failure can 
be surely detected. 
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Before the recovered data obtained by the re- 
covery data obtaining means 55 is written in the 
recovery information unit 25, recovered data that 
was written in the recovery information unit 25 in 
the last process is initialized by the restoration data 
initializing means, thereby preventing the previous 
restoration data from remaining in the recovery 
information unit 25 by overwriting when the new 
restoration data is written in the recovery informa- 
tion unit 25, further preventing the system failure 
from being erroneously detected. 

In the case where updating process is ex- 
ecuted a plurality of times on the same record 
number by the data file updating means 52 be- 
tween an open and close of the data file 22, the 
restoration data is not written in the recovery in- 
formation unit 25 after the second updating and 
later. The recovery information unit 25 therefore 
can always hold data before the data file is opened 
(that is, data before the updating) at the same 
record number. It is thus possible, even after a 
system failure has occcured, to effectively restore 
the state in the card type storage medium 1 or 12 
to a state before the updating process in which a 
system failure occurred, on the basis of the data in 
the recovery information unit 25. 

Information about the presence of the recovery 
information unit 25 and information about a relative 
position of the recovery information unit 25 in the 
data file 22, if the recovery information unit 25 
exists, are set in the directory area 23 in the 
storage unit 2, whereby a judgement can be made 
on as to whether predetermined data should be 
written into the recovery information unit 25, or 
data recovery should be performed on the basis of 
the data in the recovery information unit 25, only 
by referring to the directory area 23 in the storage 
unit 2 from the control unit 5. 

The failure detecting means can detect a fail- 
ure having occurred in the last process on the 
basis of a start serial number, an end serial number 
and check serial numbers attached before and after 
the start serial number and the end serial number, 
respectively, held in the recovery information unit 
25 in response to an opening command from the 
outside, if the data file 22 has the recovery in- 
formation unit 25, thereby automatically detecting 
conflicting data developed due to a system failure 
without using a BCC within the card type storage 
medium 1 1 or 12. 

According to a result of detection carried out 
by the failure detecting means, the start serial 
number restoring means, the end serial number 
restoring means, the data restoring means can 
automatically repair and restore the recovery in- 
formation unit 25 or the application area, thereby 
simplifying the configuration of the system, reduc- 
ing inconvenience to the users upon restoring the 



data, in addition. 

When the data restoring means restores the 
data, the restoration data writing means writes only 
effective restoration data, whose check serial num- 

5 bers attached before and after the restoration data 
are judged to be in agreement by the restoration 
data effective detecting means, into the data file. 
This makes it possible to store only certain and 
effective data, avoiding use of restoration data in 

w which a system failure occurred while the restora- 
tion data was being written. 

(b) Description of First Embodiment 

;5 Description will be hereinafter made in detail of 

a first embodiment of this invention. Now, referring 
to FIG. 7, there is shown an IC (integrated circuit) 
card 6 as a card type storage medium, having an 
IC unit 60 therein. The IC card 6 is issued by a 

20 card issuing apparatus (a card type storage me- 
dium issuing apparatus) 7 having a hardware con- 
figuration as shown in FIG. 7. 

The IC card issuing apparatus 7 comprises, as 
shown in FIG. 7, an IC card reader/writer 71, a 

25 personal computer 72 and a printer 73. 

The IC card reader/writer 71 is connected to 
the personal computer 72 via a dedicated line (for 
example, RS232C cable), into which the IC card 6 
is inserted to be read out or written into. 

30 The personal computer 72 causes the IC card 

reader/writer 71 to write data into the IC card 6 so 
that the IC card may have a predetermined data 
content therein, functioning as a main frame of the 
card issuing apparatus. 

35 The printer 73 is served to printout a PIN and 

the like that is a result of verification made on 
personal identification numbers (PINs) onto a pre- 
determined printing paper 75 in response to an 
instruction from the personal computer 72. 

40 An internal configuration of the IC card 6 as a 

card type storage medium according to the first 
embodiment of this invention will be hereinafter 
described referring to FIGS. 5 and 6. 

As shown in FIG. 5, the IC card 6 according to 

45 the first embodiment comprises a data communica- 
tion mechanism 61, a storage unit 62 and a control 
unit 63. 

The data communication mechanism 61 of the 
IC card 6 sends and receives information to and 

so from the card issuing apparatus 7 when the IC card 
6 is inserted into the IC card reader/writer 72 (or 
another terminal apparatus, a host computer, etc.) 
of the card issuing apparatus 7, including a termi- 
nal (a contact) which contacts with a terminal (of a 

55 data communication mechanism 710) of the IC 
card reader/writer 71 to transmit and receive sig- 
nals thereto and therefrom. 
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The storage unit 62, employing a tree struc- 
ture, includes a file area 621 including data to be 
processed by various application programs (i.e., 
programs to be incorporated in a terminal appara- 
tus, a host computer, etc.) by files therein, and a 
directory area 623 holding control information 
about each file in the file area 621 therein. 

For instance, data files (in an application using 
area) 622-1, 622-2, to be handled by various 
application programs are held in the file area 621 in 
the storage unit 62, as shown in FIG. 6. 

In this embodiment, the data file 622-1 is to be 
processed by an application program for cashless 
service, dedicated to hold data about, for example, 
the balance, use record, etc. therein. The data file 

622- 2 is to be processed by an application pro- 
gram for medical examination service in hospital or 
the like, dedicated to hold, for example, examina- 
tion record, blood type, etc. therein. 

The directory area 623 contains control in- 
formation units 623-1, 623-2, ... about the respec- 
tive data files 622-1, 622-2, ... therein. 

In each of the control information units 623-1, 

623- 2, .... a file name (APL-1 or APL-2), a position 
(a point or an address) in the file area 621, and a 
PIN (PIN; ABCD, or EFGH) of each of the data files 
622-1, 622-2, ... are written. 

The IC card 60 also has a dedicated file (dif- 
ferent from the data files 622-1, 622-2 for the 

application programs) in the file area 621 in the 
storage unit 62, used to manage PINs of the data 
files 622-1, 622-2, retained therein, as shown in 
FIG. 6. 

The dedicated file 624 holds data of file names 
(APL-1, APL-2, ...) of the data files (622-1, 622-2, 
...) and their PINs (ABCD, EFGH, ...) in an enci- 
phered form (PIN:****, ####, ...) in such manner that 
the each enciphered PIN of a data file corresponds 
to its file name. 

The directory area 623 in the storage unit 62 
has a control information unit 623-0 for the dedi- 
cated file 24, in which a position (a point or an 
address) in the file area 621, a file name (Master), 
and a master personal identification number (a PIN 
known by only the system manager, hereinafter 
referred, occasionally, as a master PIN) of the 
dedicated file 624 are held. 

As shown in FIG. 5, the control unit (MPU: 
micro processor unit) 63 of the IC card 6 is to 
manage data retained in the file area 621 in the 
storage unit 62 according to the control information 
held in the directory area 623 in the storage unit 
62. The control unit 63 according to this embodi- 
ment, comprises a data file creating unit 631, a PIN 
matching unit 632, a data file accessing unit 633, a 
dedicated file creating unit 634, a master PIN 
matching unit 635 and a dedicated file accessing 
unit 636. 
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The data file creating unit 631 sets the control 
information units 623-1, ... including pins, points 
and files names of the respective data files 622-1, 
... in the directory area 623 in the storage unit 62 in 

5 response to a data file creating command from the 
card issuing apparatus 7 to create the data files 
622-1, ... in the file area 621 in the storage unit 62. 

In response to a data file access command 
from outside (i.e., the card issuing apparatus 7, the 

w terminal apparatus, the host computer, etc.) to ac- 
cess a data file 622-1 created by the data file 
creating unit 631, the PIN matching unit 632 makes 
a judgement as to whether a PIN of the data file 

622- 1, ... that is an object of the access command 
15 (i.e., a PIN held in the control information unit 623- 

1 in the directory area 623) is in agreement with a 
PIN fed from the outside included in the above 
data file access command. 

The PIN matching unit 632 according to this 

20 embodiment also has a file locking function to lock 
a data file 622-1, ... that is an object of an access 
when the matching of the PINs is successively 
resulted in failure predetermined times, and a func- 
tion to release the file locking state in response to 

25 an instruction from the outside, in addition to the 
above matching function. 

The data file access unit 633 executes an 
access process (write/read) on the data file 622-1 
that is an object of the access when the PIN 

30 matching unit 632 judges that the PINs are in 
agreement. 

The dedicated file creating unit 634 sets a 
control information unit 623-0 including a master 
PIN, a point and a file name of a dedicated file 624 
35 in the directory area 623 in the storage unit 62 in 
response to a dedicated file creating command 
from the card issuing apparatus 7 to create the 
dedicated file 624 in the file area 621 in the storage 
unit 62. 

40 In response to a dedicated file access com- 

mand from the card issuing apparatus 7 to gain an 
access to the dedicated file 624 created by the 
dedicated file creating unit 634, the mater PIN 
matching unit 635 makes a judgement as to wheth- 

45 er a master PIN held in the control information unit 

623- 0 in the directory area 623 is in agreement 
with a master PIN included in the above dedicated 
file access command from the card issuing appara- 
tus 7. 

so When the master PIN matching unit 635 judges 

that the two PINs are in agreement, the dedicated 
file access unit 636 executes an access process 
(write/read) on the dedicated file 624. 

At the time of issuing the IC card 6, the dedi- 

55 cated file creating unit 634, to begin with, creates 
the dedicated file 624, the dedicated file access 
unit 636 next writes PINs (enciphered PINs in this 
embodiment) and file names of the respective data 
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files 622-1, ... into the dedicated file 624 such that 
each PIN of the data file corresponds to its file 
name, in response to a dedicated file access com- 
mand supplied from the card issuing apparatus 7. 

The IC card may have an electric source there- 
in, or may be supplied electric energy from the 
card issuing apparatus 7, the terminal apparatus or 
the host computer when the IC card is inserted into 
them. In the latter case, a non-volatile storage such 
as an EEPROM is employed to the storage unit 62 
of the IC card 6. 

A configuration of the card issuing apparatus 7 
which issues a card type storage medium accord- 
ing to the first embodiment will be next described 
in detail, referring to FIG. 5. 

As stated above in connection with FIG. 7, the 
card issuing apparatus 7 according to the first 
embodiment comprises the IC card reader/writer 
71, the personal computer 72 and the printer 73. 

The IC card reader/writer 71 has the data com- 
munication mechanism 710 which is adapted to 
communicate between the IC card 6 and the per- 
sonal computer 72 to write or read information to 
and from the IC card 6 when the IC card 6 is 
inserted thereinto. The data communication mecha- 
nism 710 includes a terminal (a contact) contacting 
with a terminal (of a data communication mecha- 
nism 61) of the IC card 6 to send or receive 
signals. 

The personal computer 72 functions as a card 
issuing apparatus to issue the above IC card 6 as 
mentioned above, comprising a data file creation 
instructing unit 721, a data file access instructing 
unit 722, a dedicated file creation instructing unit 
723, a dedicated file access instructing unit 724, an 
enciphering unit 725 and a decoding unit 726. 

The data file creation instructing unit 721 sets 
control information units 623-1 including PINs, 
points, file names of respective data files 622-1, ... 
in the directory area 623 in the storage unit 62. In 
order to create the data files 622-1, ... in the file 
area 621 in the storage unit 62, the data file cre- 
ation instructing unit 721 generates a data file 
creating command including control information 
such as the PINs of the data files on the basis of 
data file creating data (including the PINs) stored in 
the floppy disk 76, and transfers the generated 
data file creating command to the data file creating 
unit 631 of the IC card 6 via the data communica- 
tion mechanisms 710 and 61. 

The data file access instructing unit 722 gen- 
erates a data file access command including a PIN 
for a data file 622-1 to be accessed in order to 
execute an access process on the created data file 
622-1 in the file area 621 in the storage unit 62 of 
the IC card 6, then transfers the generated data file 
access command to the IC card 6 (the PIN match- 
ing unit 632 and the data file access unit 632). The 



data file access instructing unit 722 also has a 
function to transfer an instruction to verify the cor- 
rectness of the data file corresponding to the PIN 
when the PIN in the IC card 6 is checked, as 

5 described later. 

The dedicated file creation instructing unit 723 
sets a control information unit 623-0 including a 
master PIN, a point, a file name of the dedicated 
file 624 in the directory area 623 in the storage unit 

/o 62 of the IC card 6. In order to create the dedi- 
cated file 624 in the file area 621 in the storage 
unit 62 of the IC card 6, the dedicated file creation 
instructing unit 623 generates a dedicated file cre- 
ating command including the master PIN on the 

/5 basis of dedicated file creating data stored in the 
floppy disk 77, then transfers the generated dedi- 
cated file creating command to the dedicated file 
creating unit 634 of the IC card 6 via the data 
communication mechanisms 710 and 61. 

20 In order to execute an access process on the 

dedicated file 624 created in the file area 621 in 
the storage unit 62 of the IC card 6, the dedicated 
file access instructing unit 724 generates a dedi- 
cated file access command including the master 

25 pin of the dedicated file 624, then transfers the 
generated dedicated file access command to both 
the master PIN matching unit 635 and the dedi- 
cated file access unit 636 of the IC card 6 via the 
data communication mechanisms 710 and 61. The 

30 dedicated file access instructing unit 624 also has 
a function to transfer an instruction to verify the 
PINs of the IC card 6, as described later. 

The dedicated file access instructing unit 724 
according to this embodiment also has a function 

35 to generate a dedicated file access command in- 
cluding data, a pair of the enciphered PIN and the 
file name of each data file 622-1, .... on the basis of 
the data file creating data stored in the floppy disk 
76, then transfers the generated dedicated file ac- 

40 cess command to the dedicated file access unit 
636 of the IC card 6 via the data communication 
mechanisms 710 and 61 upon issuing the IC card 
6, after the dedicated file creation instructing unit 
723 transferred the dedicated file creating com- 

45 mand to the IC card 6. 

The personal computer 72 of the card issuing 
apparatus 7 according to this embodiment is pro- 
vided the enciphering unit 725 which enciphers the 
PINs of the data files 622-1, ... supplied from the 

so floppy disk 76 in order to write she enciphered 
PINs of the data files 622-1 into the dedicated file 
624, and the decoding unit 726 which deciphers 
the enciphered PINs read out from the dedicated 
file 624 when PIN verification is carried out, as 

55 described later. 

Upon checking a PIN of the IC card 6, the 
dedicated file access instructing unit 724 according 
to this embodiment functions to generate a dedi- 
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cated file access command including the master 
PIN in order to read out data from the dedicated 
file 624 of the IC card 6 which holds therein the 
PIN to be verified, then transfer the generated 
dedicated file access command to both the master 
PIN matching unit 635 and the dedicated file ac- 
cess unit 636 via the data communication mecha- 
nisms 710 and 61 . 

When the data {that is, data of a pair of the 
enciphered PIN and the file name of the data file 
622-1) is read out from the dedicated file 624 of 
the IC card 6 in response to the dedicated file 
access command from the dedicated file access 
instructing unit 724 upon verification of the PIN of 
the IC card 6, the data file access instructing unit 
722 according to this embodiment generates a data 
file access command including the PIN read out 
(that is, the PIN deciphered by the decoding unit 
726), then transfers the generated data file access 
command to both the PIN matching unit 632 and 
the data file access unit 633 via the data commu- 
nication mechanisms 710 and 61 so as to give an 
instruction to the IC card 6 to verify the correctness 
of the data file 622-1 corresponding to the PIN read 
out. 

The printer 73 has a PIN printing mechanism 
78. When the data file access instructing unit 724 
verifies the correctness of the PIN read out by the 
dedicated file access instructing unit 724 upon PIN 
verification, the PIN printing mechanism of the 
printer 73 printouts the PIN that is a result of the 
verification on a predetermined printing paper 75 in 
response to an instruction from the personal com- 
puter 7. 

To issue the IC card 6 according to this em- 
bodiment, the following process is performed, with 
the IC card 6 being inserted in the IC card read- 
er/writer of the card issuing apparatus 7. 

The dedicated file creating instructing unit 723 
converts the dedicated file creating data (including 
the master PIN) stored in the floppy disk 77 into 
data in a format for a program incorporated in the 
IC card 6 to generate a dedicated file creating 
command including the master PIN, then transfers 
the generated dedicated file creating command to 
the dedicated file creating unit 634 of the IC card 6 
via the data communication mechanisms 710 and 
61. 

In the IC card 6, when receiving the dedicated 
file creating command, the dedicated file creating 
unit 634 sets a control information unit 623-0 in- 
cluding a master PIN, a point and a file name of 
the dedicated file 624 in the directory area 623 in 
the storage unit 62 in response to the dedicated file 
creating command so as to create the dedicated 
file 624 in the file area 621 in the storage unit 62. 

The data file creation instructing unit 721 in the 
card issuing apparatus 7 converts the data file 



creating data (including PINs for a card owner) 
stored the floppy disk 67 into data in a format for a 
program incorporated in the IC card 6 to generate 
a data file creating command including the PINs, 
5 then transfers the generated data file creating com- 
mand to the data file creating unit 631 of the IC 
card 6 via the data communication mechanisms 
710 and 61. 

In the IC card 6, when receiving the data file 

io creating command, the data file creating unit 631 
sets a control information units 623-1 each includ- 
ing a PIN, a point and a file name of the data file 
622-1 in the directory area 623 in the storage unit 
62 in response to the data file creating command 

75 to create the data files 622-1 in the file area 621 in 
the storage unit 62. 

Next, PINs are extracted from the data file 
creating data stored in the floppy disk in the card 
issuing apparatus 7, then enciphered to be an 

20 enciphered PINs. The dedicated file access in- 
structing unit 724 then converts the data of a pair 
of the enciphered PIN and the file name of each 
data file 622-1 into data in a format for a program 
incorporated in the IC card 6 to generate a dedi- 

25 cated file access command including the above 
data, then transfers the generated dedicated file 
access command to the dedicated file access unit 
636 of the IC card 6 via the data communication 
mechanisms 710 and 61. 

30 When receiving the the dedicated access com- 

mand, the dedicated file access unit 636 of the IC 
card 6 writes the enciphered PINs of the respective 
data files 622-1 in the dedicated file 624 such -that 
the enciphered PIN of the data file 622-1 cor- 

35 responds to its file name in response to the dedi- 
cated file access command, as shown in FIG. 6. 

Through the above process, the IC card 6 is 
issued, going into a state to be able to receive 
general application services. At that time, the PINs 

40 for each card owner are managed in the dedicated 
file 624 in the IC card 6 that is possessed by the 
card owner. 

To receive a general application service 
through the IC card, the owner inserts the IC card 6 

45 into the terminal apparatus or the host computer 
providing the predetermined application. The termi- 
nal apparatus or host computer gives a data file 
access command to the IC card 6 to cause the IC 
card 6 to perform an access process (write/read) 

50 on each data file 622-1, ... in the storage unit 62. 

More specifically, when receiving the data file 
access command from the terminal apparatus, host 
computer or the like, the PIN matching unit 632 
makes a judgement as to whether a PIN of the data 

55 file 622-1 to be accessed (held in the control 
information unit 623-1 in the directory area 623) is 
in agreement with a PIN included in the data file 
access command supplied from the outside (i.e., a 
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PIN inputted by the card owner through the termi- 
nal apparatus, host computer or the like). 

When the PIN matching unit 632 makes a 
judgement that the above two PINs are in agree- 
ment, the data file access unit 633 performs an 
access process (write/read) on the objective data 
file 622-1. When the PIN matching unit 632 suc- 
cessively draws the same conclusion predeter- 
mined times that the above two PINs are in dis- 
agreement, the PIN matching unit 632 locks the 
objective data file 622-1 so that the data file 622-1 
is prohibited from being used. 

Meanwhile, if the card owner forgets the PIN of 
his or her own IC card 6 after the issue of the IC 
card 6, it is possible to verify the PIN by carrying 
out the following process with the IC card 6 being 
inserted in card reader/writer 71 of the card issuing 
apparatus 6, according to this embodiment. 

Namely, in order to read out data in the dedi- 
cated file 624 in the IC card 6, the dedicated file 
access instructing unit 724 generates a dedicated 
file access command including the master PIN, 
then transfers the generated dedicated file acces- 
sing command to both the master PIN matching 
unit 635 and the dedicated file access unit 636 of 
the IC card 6 via the data communication mecha- 
nisms 710 and 61 . 

On the side of the IC card 6, the master PIN 
matching unit 635 compares the master PIN (held 
in the control information unit 623-0 in the directory 
area 623) of the dedicated file 624 with the master 
PIN included in the dedicated file access command 
when receiving the dedicated file access com- 
mand. 

If the mater PIN matching unit 635 makes a 
judgement that the two master PINs are in agree- 
ment, the dedicated file accessing unit 636 reads 
out the data of a pair of the enciphered PIN and 
the file name of a data file from the dedicated file 
624, then transfers it to the dedicated file access 
instructing unit 724 of the card issuing apparatus 7 
via the data communication mechanisms 61 and 
710. 

The dedicated file access instructing unit 724 
next makes the decoding unit 726 decipher the 
enciphered PIN, then reports data of a pair of the 
deciphered PIN and the file name of the data file to 
the data file access instructing unit 722. 

When receiving the report form the dedicated 
file access instructing unit 724, the data file acces- 
sing instructing unit 722 generates a data file ac- 
cess command including the deciphered PIN, then 
transfers the generated data file accessing com- 
mand to both the PIN matching unit 632 and the 
data file access unit 633 of the IC card 6 via the 
data communicating mechanisms verification on 
the correctness of the data file 622-1 correspond- 
ing to the PIN read out. 



On the side of the IC card 6, the PIN matching 
unit 632 checks as to whether the PIN (held in the 
control information unit 623-1 in the directory area 
623) of the data file 622-1 to be verified is in 

5 agreement with the PIN included in the data file 
accessing command supplied from the card issuing 
apparatus 7, in response to the data file accessing 
command to verify the correctness of the PIN. 

If the PIN matching unit 632 draws a conclu- 

w sion that the two PINs are in agreement, it is 
judged that the correctness of the data file 622-1 
corresponding to the PIN read out has been veri- 
fied. At that time, if the data file 622-1 that is an 
object of the correctness verification is in a locked 

75 state, the PIN matching unit the IC card 6 into a 
normal state. 

When the correctness of the IC card 6 is 
verified in the above manner, the PIN printing 
mechanism 78 of the printer 73 printouts the de- 

20 ciphered PIN read out by the dedicated file access 
instructing unit 724 on the predetermined printing 
paper 75, then the verification of the PIN finishes. 

According to the first embodiment, the data 
consisting of a pair of the PIN and file name of 

25 each data file 622-1, ... is set in the file area 621 in 
the storage unit 62 of the IC card 6. The PINs in 
each IC card 6 are managed by and within the IC 
card itself, without need for management of the 
PINs by the host computer, thereby largely reduc- 

30 ing a burden for PIN management on the entire IC 
card system. 

The data in the dedicated file 624 cannot be 
read out without the master PIN known by only the 
system manager. Even if the master PIN leaked 

35 out except the system manager, the PINs of the 
data files 622-1, ... do not leak out as they are, 
since each of the PIN of the data file 622-1 is 
enciphered. So long as the manner to encipher the 
PINs of the data files 622-1 is kept in secret, each 

40 PIN cannot be solved. 

It is therefore possible to securely prevent the 
PINs from being out and avoid a problem in secu- 
rity, even if the PINs are managed by and within 
the IC card 6. 

45 Further, upon verification of the PINs in the 

case of an accident, the dedicated file access 
instructing unit 724 of the card issuing apparatus 7 
generates a dedicated file accessing command in- 
cluding the master PIN, then transfers the com- 

50 mand to the IC card 6. The manner of this verifica- 
tion is quite simple and can reduce inconvenience 
to the card user. 

According to this embodiment, when the PIN is 
verified, the data file access instructing unit 722 

55 transfers a data file accessing command to the IC 
card 6 to verify the correctness of the PIN read out 
from the dedicated file 624, and the PIN matching 
unit 632 executes a PIN matching to make sure the 
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correctness of the data file 622-1 corresponding to 
the PIN read out, thereby increasing the reliability 
in the PIN verification. 

In the above embodiment, the data file creating 
data and the dedicated file creating data are sup- 
plied from the floppy disks 76 and 77, respectively. 
It is also possible to input the data file creating 
data and the dedicated file creating data through a 
keyboard or the like. 

(c) Description of Second Embodiment 

Referring now to FIG. 8, an IC card 8 according 
to a second embodiment comprises a storage unit 
81 and a control unit 82. 

The storage unit 81 has a tree structure, in- 
cluding a file area 81 1 holding data to be pro- 
cessed by various application programs (i.e., pro- 
grams incorporated in a terminal apparatus, a host 
computer, etc.) by files therein, and a directory 
area 813 holding control information about each of 
data files 812 in the file area 811 therein. 

In the directory area 813, a file name, a per- 
sonal identification number (PIN), a position (i.e., 
and the like of each data file 812 held in the file 
area 81 1 are written. 

The IC card 8 according to this embodiment is 
additionally provided with a recovery information 
unit 815 in the data file 812 in the file area 811 in 
the storage unit 81, into which the control unit 82 
writes recovery information obtained every time the 
data file 812 is updated, as shown in FIG. 9. 

More concretely, as shown in FIG. 10, record 
numbers #1 to #n are allocated to an application 
area 814 to store data to be processed by one of 
various application programs (i.e., data of the bal- 
ance in the case of a cashless card), and record 
numbers after #n + 1 and later are allocated to the 
recovery information unit 815. 

As shown in FIG. 10, a start serial number (the 
number of processed items) obtained when the 
data file 812 is opened is written in the record 
number #n + 1 in the recovery information unit 815, 
an end serial number (the number of processed 
items) obtained when the data file 812 is closed is 
written in the record number #n + 2, and restoration 
data consisting of a record number whose data has 
been updated (i.e., an updated record number in 
the application area 814) and unupdated data at the 
same record number (i.e., data before subjected to 
the updating in the application area 814) obtained 
when the data file 812 is updated is written in the 
record numbers after #n + 3 and later. According to 
this embodiment, check serial numbers (the num- 
ber of items) are respectively attached, as recovery 
information, before and after the start serial num- 
ber, the restoration data and the end serial number 
held in the recovery information unit 815. 
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As shown in FIG. 9, there are set, in the 
directory area 813 in the storage unit 81 as control 
information of each data file 812, information as to 
whether the recovery information unit 815 is addi- 

5 tionally provided in a data file 812 (that is, informa- 
tion about the presence of the recovery information 
in a data file 812), information about a relative 
position of the recovery information unit 815 in the 
data file 812, if the recovery information 815 exists 

w in the data file 812 (that is, the leading record 
number of the recovery information unit 815), and a 
size and a number of the recovery information unit 
815. 

The control unit 82 according to this invention 

is is adapted to manage the data files 812 in the file 
area 81 1 in the storage unit 81 on the basis of the 
control information held in the directory area 813 in 
the storage unit 81, comprising a data file opening 
unit 821, a data file updating unit 822, a data file 

20 closing unit 823, a start serial number obtaining 
unit 824, a restoration data obtaining unit 825, an 
end serial number obtaining unit 826, a restoration 
data initializing unit 827, a system failure detecting 
unit 828, a start serial number restoring unit 829, 

25 an end serial number restoring unit 830 and a data 
restoring unit 831 . 

When receiving an OPEN command (an open 
instruction) from an application program 9 incor- 
porated in a terminal apparatus or the like into 

30 which the IC card 8 is inserted, the data file open- 
ing unit 821 opens a data file 812 designated by 
the open command, on the basis of the control 
information in the directory area 813 in the storage 
unit 81. 

35 When receiving a WRITE command (an updat- 

ing instruction) from the application program 9 after 
the data file 812 has been opened, the data updat- 
ing unit 822 updates data in the data file 812 
having been opened by the data file opening unit 

40 821. 

When receiving a CLOSE command (a closing 
instruction) from the application program 9 after the 
data file 812 has been opened, the data file closing 
unit 823 closes the data file 812 having been 

45 opened by the data file opening unit 821. 

The start serial number obtaining unit 824 ob- 
tains a start serial number (whose initial value is 0) 
by adding 1 to the latest start serial number when 
the data file 812 is opened by the data file opening 

so unit 821. The start serial number obtaining unit 824 
also attaches check serial numbers (whose initial 
value is 1, incremented by 1 every time the data 
file 812 is opened) before and after the start serial 
number, and writes both the start serial number 

55 and its check serial numbers as recovery informa- 
tion in the record number #n + 1 of the recovery 
information unit 815. 
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The restoration data obtaining unit 825 ac- 
quires restoration data including a record number 
to be updated and unupdated data at the same 
record number when the data file 812 is updated 
by the data file updating unit 822. The restoration 
data obtaining unit 825 also attaches check serial 
numbers before and after the restoration data, and 
writes the restoration data and its check serial 
numbers as recovery information in the record 
number on and after #n + 3, in order. 

If the data file updating unit 822 executes plural 
times of updating process on the same record 
number between an open and close of the data file 
812, the restoration data obtaining unit 825 does 
not write data into the recovery information unit 815 
after the second updating process and later. 

The end serial number obtaining unit 826 ob- 
tains an end serial number (whose initial value is 0) 
by adding 1 to the latest start serial number when 
data file closing unit 823 closes the data file 812. 
The end serial number obtaining unit 826 also 
attaches check serial numbers (whose initial values 
are 1 , incremented by 1 every time the data file 
812 is closed) before and after the end serial 
number, and writes both the end serial number and 
its check serial numbers as recovery information 
into the record number #n + 2 in the recovery in- 
formation unit 815. 

Before the restoration data having been ac- 
quired by the restoration data obtaining unit 825 
has been written into the recovery information unit 
815, the restoration data initializing unit 827 initial- 
izes the restoration data that is being stored in the 
recovery information unit 815 (more specifically, 
setting the restoration data all at 0 and the check 
serial numbers all at 1). 

When receiving an OPEN command (an open 
instruction) from the application program 9, the 
system failure detecting unit (a failure detecting 
means) 828, firstly, looks up the control information 
relating to a data file 812 designated by the OPEN 
command held in the directory area 813 in the 
storage unit 81. If the data file 812 has a recovery 
information unit 815 therein, the system failure de- 
tecting unit 828 detects a failure having occurred in 
the last process on the basis of the start serial 
number, the end serial number and the check 
serial numbers attached before and after these 
start serial number and end serial number, respec- 
tively, written as recovery information in the recov- 
ery information unit, through following procedure 
shown in FIG. 12. 

When the check serial numbers attached be- 
fore and after the start serial number are in dis- 
agreement, the system failure detecting unit 828 
makes a judgement that a failure occurred when 
the data file opening unit 821 opened the data file 
in the last process, outputting a demand to re- 



process the last process to the application program 
9 and a demand to restore the start serial number 
to the start serial number restoring unit 829. 

When receiving a demand to restore the start 

5 serial number form the system failure detecting 
unit 828, the start serial number restoring unit 829 
restores the start serial number stored in the recov- 
ery information unit 815 to the one at the time of 
two updating processes earlier. 

10 When the check serial numbers attached be- 

fore and after the start serial number are in agree- 
ment but the check serial numbers attached before 
and after the end serial number are in disagree- 
ment, the system failure detecting unit 828 makes 

15 a judgement that a failure occurred when the data 
file closing unit 823 closed the data file in the last 
process, and outputs a demand to restore the end 
serial number to the end serial number restoring 
unit 830. 

20 When receiving the demand to restore the end 

serial number from the system failure detecting 
unit 828, the end serial number restoring unit 830 
restores the end serial number being stored in the 
recovery information unit 815 to the one at the time 

25 of the last process. 

When the check serial numbers attached be- 
fore and after the start serial number and the check 
serial numbers attached before and after the end 
serial number are in agreement but the start serial 

30 number and the end serial number are in disagree- 
ment, the system failure detecting unit 828 judges 
that a failure occurred when the data file updating 
unit 822 updated the data file in the last process, 
and outputs a demand to perform once again the 

35 last process to the application program 9 and a 
demand to restore the data in the data file 812 to 
the data restoring unit 831 . 

When receiving the demand to restore the data 
in the data file 812 from the system failure detect- 

40 ing unit 828, the data restoring unit 831 restores 
the data in the application area 814 in the data file 
812 on the basis of the restoration data stored in 
the recovery information unit 815. 

The data restoring unit 831, according to this 

45 embodiment, comprises a restoration data effec- 
tiveness detecting unit 832 and a restoration data 
writing unit 833. 

The restoration data effectiveness detecting 
unit 832 judges that the restoration data is effective 

so when the check serial numbers attached before 
and after the restoration data are in agreement. 
The restoration data writing unit 833 writes the 
unupdated data of the restoration data having been 
judged to be effective by the restoration data effec- 

55 tiveness detecting unit 832 as the data at the 
record number of the above restoration data in the 
application area 814 of the data file 812. 
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According to this embodiment, the recovery 
information is acquired in the IC card 8 in a normal 
updating process instructed by the application pro- 
gram 9 through following procedure shown in FIG. 
11. 

When receiving an OPEN command from the 
application program 9, the system failure detecting 
unit 828 of the IC card 8 detects a failure that has 
occurred in the last process (Step S1). 

If a system failure is not detected, or a system 
failure is detected and a recovery process (a data 
recovery process) is executed by the restoring unit 
829-831, the restoration data initializing unit 827 
initializes the restoration data that has been written 
in the recovery information unit 815 in the last 
process by setting all the restoration data at 0 and 
all the check serial numbers at 1 (Step S2). (Mean- 
while, a manner for the system failure detecting 
and the data restoring will be described later, refer- 
ring to FIG. 12.). 

The start serial number obtaining unit 824 ob- 
tains a check serial number and a start serial 
number by adding 1 to the latest start serial num- 
ber (whose initial value is 0) and the check serial 
numbers (whose initial value is 1), and writes the 
new start serial number and its check serial num- 
bers attached before and after the start serial num- 
ber as recovery information in the record number 
#n + 1 in the recovery information unit 815 (Step 
S3). 

Thereafter, the data file opening unit 821 opens 
the data file 812 designated by the open command 
on the basis of the control information in the direc- 
tory area 813 in the storage unit 81 (Step S4). 

After the data file 812 is opened, the restora- 
tion data obtaining unit 825 obtains restoration data 
including a record number to be updated and un- 
updated data at this record number every time the 
application program 9 supplies a WRITE command 
(an updating instruction), and writes the restoration 
data and its check serial numbers attached before 
and after the restoration data in the record number 
on and after #n+3 in the recovery information unit 
81 5, in order (Step S5). In the case where the data 
file updating unit 822 executes the updating pro- 
cess plural times on the same record number be- 
tween an open and close of the data file 812, the 
restoration data will not be written into the recovery 
information unit 815 after the second updating pro- 
cess and later. 

After the restoration data obtaining unit 825 has 
obtained the restoration data, the data file updating 
unit 822 updates the data in the data file 812 (Step 
S6). 

While the application program 9 supplies a 
WRITE command (an updating instruction), the 
process in the steps S5 and S6 is repeated. 



When receiving a close command from the 
application program 9, the end serial number ob- 
taining unit 826 obtains an end serial number and 
its check serial numbers by adding 1 to the latest 

5 end serial number (whose initial value is 0) and the 
check serial numbers (whose initial value is 1) as 
same as in the step S3. The end serial number 
with the check serial numbers attached before and 
after the end serial number are written into the 

w record number #n + 2 in the recovery information 
unit 815 as recovery information (Step S7). 

Thereafter, the data file closing unit 823 closes 
the data file 812 (Step S8). 

In the above manner, the recovery information 

75 is written in the recovery information additionally 
provided in the data file 812 in the file area 811 in 
the storage unit 81 every time the control unit 
causes the data file 812 to be updated. 

A manner to detect a system failure in the last 

20 process by the system failure detecting unit 828 
and a restoring process (a data recovery process) 
when a system failure is detected in the IC card 8 
carried out in Step 1 shown in FIG. 11 will be now 
described in more detail, referring to FIG. 12. 

25 When receiving an OPEN command from the 

application program 9, a reference is made to the 
control information about a designated data file 812 
in the directory area 813. If the data file 812 has a 
recovery information unit 815 therein, the system 

30 failure detecting unit 828 detects a system failure 
having occurred in the last process, on the basis of 
the recovery information (i.e., a start serial number, 
an end serial number and check serial numbers 
attached before and after the start serial number 

35 and the end serial number) stored in the recovery 
information unit 815. 

Namely, a judgement is first made as to wheth- 
er the check serial numbers attached before and 
after the start serial number are in agreement or 

40 not (Step S11). If the check serial numbers are in 
disagreement, it is judged that a system failure 
occurred when the data file was opened by the 
data file opening unit 821 in the last process, then 
a demand to reprocess the last process and a 

45 demand to restore the start serial number are out- 
putted to the application program 9 and the start 
serial number restoring unit 829, respectively. 

The start serial number restoring unit 829 re- 
stores the start serial number stored in the recov- 

50 ery information unit 815 to the one at the time of 
two updating processes earlier (Step S12). Then in 
the step S2 shown in FIG. 11, the application 
program 9 once more carries out the process that 
should have been done in the last process in 

55 response to the reprocessing demand from the 
system failure detecting unit 828. 

On this occasion, since a system failure oc- 
curred when the data file was opened in the last 

21 
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process, it can be assumed that no updating pro- 
cess has been performed on the data file 812, and 
thus the restore data and end serial number in the 
recovery information unit 815. Therefore, only the 
start serial number is restored to the one at the 
time of two updating processes earlier without car- 
rying out the data restoring (data recovery), and a 
demand for the reprocessing is given to the ap- 
plication program 9. As this, the program of the last 
process can be appropriately executed in the re- 
covery information unit 815. 

If it is judged in the Step S1 1 that the check 
serial numbers attached before and after the start 
serial number are in agreement, the next judge- 
ment is made as to whether the check serial num- 
bers attached before and after the end serial num- 
ber are in agreement or not (Step S13). If the 
check serial number attached before and after the 
end serial number are in disagreement, it is judged 
that a failure occurred when the data file was 
opened by the data file opening unit 823 in the last 
process, and a demand to restore the end serial 
number is outputted to the end serial number re- 
storing unit 830. 

The end serial number restoring unit 830 then 
restores the end serial number stored in the recov- 
ery information unit 815 to the one at the time of 
the last process (Step S14). Then the procedure 
advances to the step S2 in FIG. 11, the application 
program 9 carried out the process of this time. 

On this occasion, since a failure occurred when 
the data file was closed in the last process, it can 
be assumed that the data file 812, and the start 
serial number and the restoration data in the recov- 
ery information unit 815 have been properly up- 
dated in the last process. Therefore, it is possible 
to execute the process of this time with a proper 
recovery information unit 25 only if the end serial 
number is restored to the one at the time of the 
last process. 

If it is judged in the step S13 that the check 
serial numbers attached before and after the end 
serial number is in agreement, the next judgement 
is made as to whether the start serial number and 
the end serial number are in agreement or not 
(Step S15). If in disagreement, it is judged that a 
failure has occurred during the data file updating 
operation carried out by the data file updating unit 
822 in the last process, then a demand to re- 
process the last process and a demand to restore 
the data in the data file 812 are outputted to the 
application program 9 and the data restoring unit 
831, respectively. 

When receiving a command to restore the data 
in the data file 812 from the system failure detect- 
ing unit 828, the data restoring unit 831 restores 
the data in the application area 814 in the data file 
812 on the basis of the restoration data stored in 



the recovery information unit 815 (Step S16). The 
procedure then advances to the step S2 in FIG. 1 1, 
where the application program 9 carries out once 
more the operation that should have been done in 

5 the last process. 

On this occasion, since a failure has occurred 
during the updating process in the last process, the 
application area 814 in the data file 812 is restored 
to the state at the time of two updating processes 

/o earlier (the state before the failure has occurred), 
then a reprocess is demanded to the application 
program 9, thereby reexecuting the last process on 
the data file 22 that is in a state at the time of two 
updating processes earlier. 

is When the data restoring unit 831 restores the 

data, the restoration data writing unit 833 writes 
only the restoration data whose check serial num- 
bers attached before and after the same have been 
judged by the restoration data effectiveness detect- 

20 ing unit 832 to be in agreement into the data file 
812. 

It is therefore possible to restore the data with- 
out using the restoration data (whose check serial 
numbers are in disagreement) that a system failure 

25 has occurred in the course of writing the same in 
the last process. 

In the case where the start serial number is in 
agreement with the end serial number in the step 
S15, it is judged to be normal (Step S17), the 

30 procedure advances to the step S2 in FIG. 1 1 , 
where the process of this time is executed by the 
application program 9. 

Next, operation of the IC card according to this 
embodiment will be described referring to FIGS. 13 

35 through 16, where a content of practical data in the 
recovery information unit 815 is shown to explain 
the operation. 

The recovery information unit 815 immediately 
after the issue of the IC card 8 is in a state where 

40 the start serial number, the end serial number and 
the restoration data are all set at 0, and the check 
serial numbers attached before and after the start 
serial number, the end serial number and the res- 
toration data are all set at 1, as shown in FIG. 13A. 

45 Assuming that a WRITE instruction for, for ex- 

ample, the record numbers #10, #8 and #11 of the 
data file 812 from the application program 9 is 
successively executed between an open and close 
of the data file 812 without a break due to a system 

so failure, in the first updating process done on the IC 
card 8. 

In which case, the start serial number obtaining 
unit 821 and the end serial number obtaining unit 
823 obtain "1" and "1" as a start serial number 
55 and an end serial number, respectively, to write 
them into the recovery information unit 815. At the 
same time, the restoration data obtaining unit 825 
also obtains, for example, "#10,3030", "#08,F1F1" 

22 
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and "#11,1010" as restoration data, and writes 
them into the recovery information unit 815. Before 
and after each data, check serial numbers "2" are 
attached, as shown in FIG. 13B. 

Here, "3030", "F1F1 M and "1010" in the res- 
toration data are unupdated data at the record 
numbers #10, #08 and #11 in the application area 
814. 

Thereafter, the restoration data initializing unit 
827 initializes to make all the restoration data to be 
"0" and their check serial numbers to be "1" when 
the second updating process is performed on the 
IC card 8. Assuming that after the initialization has 
been executed by the restoration data initializing 
unit 827, a WRITE instruction is successively ex- 
ecuted two times on the record number #02 of the 
data file 812, and this updating process is executed 
between an open and close of the data file 812, 
without a break due to a system failure. 

In which case, the start serial number obtaining 
unit 821 and the end serial number obtaining unit 
823 obtain "2" and "2" as a start serial number 
and an end serial number, respectively, and write 
them into the recovery information unit 815. At the 
same time, the restoration data obtaining unit 825 
obtains, for example "#02,4040" as restoration 
data, and also writes it into the recovery informa- 
tion unit. Check serial numbers "3" are attached 
before and after the start serial number, the end 
serial number and the restoration data, and also 
written into the recovery information unit 815. 

In the case where updating process is ex- 
ecuted a plurality of times on the same record 
number in the between an open and close of the 
data file 812, the restoration data obtaining unit 825 
does not write the restoration data into the recovery 
information unit 815 after the second process and 
later. "4040" written as unupdated data of the 
restoration data is the first unupdated data in rela- 
tion to the record number #02" in the application 
area 814. 

On the third updating process done on the IC 
card 8, the restoration data initializing unit 827 first 
executes initialization. The application program 9 
next gives a WRITE instruction for, for example, 
the record number #10 and #08 in the data file 
812. Now assuming that a system failure occurred 
after restoration data in connection with the record 
number #08 was obtained, as shown in FIG. 14. 

In which case, the start serial number obtaining 
unit 821 obtains a start serial number "3" and its 
check serial numbers "4", and writes them into the 
recovery information unit 815. The end serial num- 
ber obtaining unit 823, however, cannot obtain an 
end serial number and its check serial numbers 
since a system failure has occurred before receiv- 
ing a CLOSE instruction. As a result, the end serial 
number "2" and the check serial number "3" at the 
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time of the last process remain in the recovery 
information unit 815. 

The restoration data obtaining unit 825 obtains, 
for example, "#10,3030" and "#08,F1F1" as res- 
5 toration data, and successively writes them with 
their check serial numbers "4" into the recovery 
information unit. The updating process is termi- 
nated. 

If the application program 9 executes an updat- 

m ing process on the IC card 8 under the above 
condition, the system failure detecting unit 828 
operates in response to an OPEN instruction from 
the application program 9, and makes a judgement 
that a system failure has occurred during the last 

75 updating process since the check serial number 
attached before and after the start serial number 
and the check serial numbers attached before and 
after the end serial number are individually in 
agreement but the start serial number and the end 

20 serial number are in disagreement (referring to 
Step S15 in FIG. 12). The system failure detecting 
unit 828 thus outputs a demand to perform a 
reprocess to the application program 9 and a de- 
mand to restore the data in the data file 812 to the 

25 data restoring unit 831 (referring to the Step 16 in 
FIG. 12). 

When the data restoring unit 831 restores the 
data, the restoration data effectiveness detecting 
unit 832 verifies the effectiveness of restoration 

30 data from whether check serial numbers attached 
before and after the restoration data are in agree- 
ment or not. In the example shown in FIG. 14, the 
check serial numbers attached before and. after two 
restoration data are all "4", being thus in agree- 

35 ment. The two restoration data are thus judged to 
be effective. The restoration data writing unit 833 
writes the restoration data "3030" and "F1F1" into 
the respective record numbers #10 and #08 in the 
application area 814 in the data file 812 on the 

40 basis of the above two restoration data whose 
effectiveness has been verified. 

On the contrary, assuming that upon perform- 
ing the third updating process on the IC card 8, a 
WRITE instruction from the application program 9 

45 is executed on the record numbers, for example, 
#03 and #02 in the data file 812, and a system 
failure occurs while the restoration data in connec- 
tion to the record number #2 is being obtained, as 
shown n FIG. 15. 

so In which case, the start serial number obtaining 

unit 821 obtains a start serial number "3" and its 
check serial numbers "4", and write them into the 
recovery information unit 815. The end serial num- 
ber obtaining unit 823, however, cannot obtain an 

55 end serial number and its check serial numbers 
since a system failure has occurred before receiv- 
ing a CLOSE instruction. As a result, the end serial 
number "2" and the check serial number "3" at the 
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time of the last process remain in the recovery 
information unit 815. 

The restoration data obtaining unit 825 obtains 
"#03,3232" as restoration data and its check serial 
numbers "4". However, since a system failure has 
occurred in the course of obtaining "#02,2222" as 
the second restoration data, check serial numbers 
"4" are attached before the restoration data 
"#02,2222" while check serial numbers "3" at- 
tached after the restoration data in the last process 
still remains even at the end of the process- 
Under such condition, if an updating process is 
executed on the IC card 8 from the application 
program 9, the system failure detecting unit 828 
operates in response to an OPEN instruction from 
the application program 9, and makes a judgement 
that a system failure has occurred during the last 
updating process since a check serial number at- 
tached before and after the start serial number and 
a check serial number attached before and after 
the end serial number are individually in agree- 
ment, but the start serial number and the end serial 
number are in disagreement (referring to the step 
15 in FIG. 12). The system failure detecting unit 
828 thus outputs a demand to once more perform 
the last process to the application program 9 be- 
sides a demand to restore the data in the data file 
812 to the data restoring unit 831, as same as in 
the example shown in FIG. 14 (referring to the Step 
S16 in FIG. 12). 

Here, when the data restoring unit 831 restores 
the data, the restoration data effectiveness detect- 
ing unit 832 verifies the effectiveness of the res- 
toration data by making a judgement as to whether 
the check serial numbers attached before and after 
the restoration data are in agreement or not. In the 
example shown in FIG. 15, the check serial num- 
bers attached before and after the first restoration 
data are both "4", being thus in agreement. But, 
the check serial numbers attached before and after 
the second restoration data are "4" and "3", being 
thus in disagreement. 

For this, the first restoration data is judged to 
be effective, but it is judged that a system failure 
has occurred in the course of obtaining the second 
restoration data so that the updating process on the 
record number #02 in the application area 814 has 
not been completed. Therefore, the restoration data 
writing unit 833 conducts the writing on the basis 
only the first restoration data. 

Through the above process, it is possible to 
restore the application area 814 to a state before a 
system failure has occured from a state of the 
system failure as shown in FIG. 16B, by writing the 
restoration data "3232" to the record number #3 in 
teh application area 814 of the data file 812, re- 
spectively. 



As above, according to the second embodi- 
ment of this invention, a start serial number and an 
end serial number in the recovery information unit 
815 are compared with each other. If the start 
5 serial number and the end serial number are in 
disagreement, it is possible to detect that a system 
failure has occurred in the course from an open to 
close of the data file 812. Check serial numbers 
attached before and after each data in the recovery 

10 information unit 815 are also compared with each 
other. If the check serial numbers are in disagree- 
ment, it is possible to detect that a system failure 
occurred in the course of writing the start serial 
number, the restoration data or the end serial num- 

/5 ber into the recovery information unit 815, further 
detect effectiveness of each data stored in the 
recovery information unit 815 and conflicting data 
generated due to the system failure without using a 
BCC, with certainty. 

20 Before the restoration data has been obtained 

by the restoration data obtaining unit 825 is written 
into the recovery information unit 815, the restora- 
tion data of the last process stored in the recovery 
information unit 815 is initialized by the restoration 

25 data initializing unit 827. This initializing operation 
can prevent the restoration data of the last process 
from remaining in the recovery information unit 
when the new restoration data is written in the 
recovery information unit, and also can surely avoid 

30 to erroneously detect a system failure. 

In the case where the data file updating unit 
822 executes updating process more than once on 
the same record number between an open and 
close of the data file 812, the restoration data 

35 obtaining unit 825 does not write the restoration 
data in the recovery information unit 815 after the 
second updating and later, whereby it is possible to 
always hold the data before the data file is opened 
(i.e., the data before the updating) as the restora- 

40 tion data in the recovery information unit 815 at the 
same record number. Therefore, the state within 
the IC card 8 after the system failure has occurred 
can be effectively restored to the state before the 
system failure has occurred, on the basis of the 

45 data in the recovery information unit 815. 

Since information about the presence of the 
recovery information unit 815 and information about 
a relative position of the recovery information unit 
815 in a data file if the recovery information unit 

50 815 exists in the data file are both set in the 
directory area 813 in the storage unit 81, it is 
possible to make a judgement as to whether pre- 
determined data should be written into the recovery 
information unit 815 or data should be restored on 

55 the basis of the data stored in the recovery in- 
formation unit, only by referring to the directory 
area 813 in the storage unit 81 from the control unit 
82. 
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If the data file 812 has the recovery information 
unit therein, the system failure detecting unit 828 
detects a system failure that has occurred in the 
last process, on the basis of the start serial num- 
ber, the end serial number and the check serial 5 
numbers attached before and after the start serial 
number and the end serial number in the recovery 
information unit 815, in response to an OPEN in- 
struction form the application program 9. This en- 
ables an automatic detection of conflicting data w 
occurring due to a system failure within the IC card 
8 without using a BCC. 

According to a result of detection carried out 
by the system failure detecting unit 828, the start 
serial number restoring unit 829, the end serial is 
number restoring unit 830 and the data restoring 
unit 831 can automatically repair and restore the 
recovery information unit 815 or the application 
area 814, whereby a configuration of the system 
can be simplified and inconvenience to the owner 20 
upon restoring the data can be mitigated to a 
considerable degree. 

When the data restoring unit 813 repairs the 
data, the restoration data writing unit 833 writes 
only the effective restoration data whose check 25 
serial numbers attached before and after the same 
have been judged to be in agreement by the res- 
toration data effectiveness judging unit 832 into the 
application area 814 in the data file 812. In con- 
sequence, it is possible to restore, certainly and 30 
effectively, the data in the application area 814 to 
the state before a system failure has occurred, 
without using restoration data that the system fail- 
ure has occurred in the course of the writing (i.e., 
data whose check serial numbers are in disagree- 35 
ment). 

In the IC card 8 according to the second em- 
bodiment, a terminal used to send and receive 
information to and from the outside (a contact and 
a data communication mechanism) is omitted in 40 
the drawings. 

In the second embodiment state above, there 
is no need to add the recovery information unit 815 
to all data file 812. As shown in FIG. 9, it is 
possible to omit the recovery information unit 815 45 
in the data file 812 that needs no data recovery. 

In the second embodiment, description has 
been made by way of an IC card as a card type 
storage medium. This invention is, however, not 
limited to the above examples, but adaptable to 50 
another type of card type storage medium, for 
example, an optical card, bringing the same effect 
as the above examples. 

It is also possible to form a card type storage 
medium having a function of the IC card 6 accord- 55 
ing to the first embodiment, along with a function of 
the IC card 8 according to the second embodiment. 
In this case, the advantages of the above two 
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embodiments can be realized in one card type 
storage medium. 

Claims 

1. A card type storage medium comprising a 
storage unit having a file area (21) holding data 
in each file as a unit and a directory area (23) 
holding therein control information units (231) 
each including a PIN of a data file in said file 
area and a control unit (3) managing data files 
(22) in said file area (21) in said storage unit 
(2) on the basis of said control information 
units (231) in said directory area (23) in said 
storage unit (2), said control unit (3) allowing 
an access process on a data file (22) by said 
control unit (3) only when a PIN held in said 
control information unit (231) in said directory 
area (23) in said storage unit (2) is in agree- 
ment with a PIN inputted from outside, the 
storage medium further comprising: 

a dedicated file (24) being set in said file 
area (21) in said storage unit (2) , said dedi- 
cated file (24) holding PINs of the data files 
(22) held in said respective control information 
units (231) in said directory area (23) in said 
storage unit (2) and file names of the data file 
(22) such that the PIN and the file name of 
each data file (22) correspond to each other; 

another control information unit (232) being 
set in said directory area (23) in said storage 
unit (2), said control information unit (232) 
holding a master PIN of said dedicated file 
(24). 

2. A card type storage medium according to 
claim 1, wherein the PINs of the respective 
data files (22) are enciphered to be held in 
said dedicated file (24). 

3. A card type storage medium comprising: 

a storage unit (2) having a file area (21) 
holding data in each file as a unit and a direc- 
tory area (23) holding therein control informa- 
tion units (231) each including a PIN of each 
data file (22) in said file area (21); 

a control unit (3) managing data files (22) 
in said file area (21) in said storage unit (2) on 
the basis of said control information units (231) 
in said directory area (23) in said storage unit 
(2) , said control unit (3) comprising; 

a data file creating means (31) , in re- 
sponse to a data file creating command from 
outside, setting a control information unit (231) 
for a data file (22) including a PIN of said data 
file (22) to create said data file (22) in said file 
area (21) in said storage unit (2) according to 
said data file creating command; 
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a PIN matching means (32), in response to 
a data file access command to gain an access 
to the data file (22) created by said data file 
creating means (31) from the outside, making 
a judgement as to whether the PIN of said data 5 
file (22) to be accessed according to said data 
file access command held in said control in- 
formation unit (231) in said directory area (23) 
in said storage unit (2) is in agreement with a 
PIN included in said data file access command w 
supplied from the outside; 

a data file accessing means (32) executing 
an access process on the data file (22) to be 
accessed when said PIN matching means (32) 
judges that said two PINs are in agreement; /5 

a dedicated file creating means (34), in 
response to a dedicated file creating command 
from the outside, setting a control information 
unit (232) for said dedicated file (24) including 
a master PIN for said dedicated file (24) to 20 
create said dedicated file (24) in said file area 
(21) in said storage unit (2) according to said 
dedicated file creating command; 

a master PIN matching means (35), in 
response to a dedicated file access command 25 
to gain an access to said dedicated file (24) 
created by said dedicated file creating means 
from the outside, making a judgement as to 
whether the master PIN of said dedicated file 
(24) held in said control information unit (232) 30 
in said directory area (23) in said storage unit 
(2) is in agreement with a master PIN included 
in said dedicated file access command sup- 
plied from the outside; and 

a dedicated file access means (36) execut- 35 
ing an access process on said dedicated file 
(24) when said master PIN matching means 
(35) makes a judgement that the above two 
master PINs are in agreement; 

upon issuing said IC card, said dedicated 40 
file accessing means (36) writing the PINs of 
the data files (22) held in said respective con- 
trol information units (231) in said directory 
area (23) in said storage unit (2) into said 
dedicated file (24) such that the PIN and file 45 
name of each data file (22) correspond to each 
other according to a dedicated file accessing 
command supplied from outside after said 
dedicated file creating means (34) created said 
dedicated file. so 

A card type storage medium according to 
claim 3, wherein PINs for the respective data 
files (22) are enciphered and held in said dedi- 
cated file (24). 55 

A card type storage medium issuing apparatus 
issuing a card type storage medium (10), said 



card type storage medium (10) comprising a 
storage unit (2) having a file area (21) holding 
data in each file as a unit and a directory area 
(23) holding therein control information units 
(231) each including a PIN of a data file (22) in 
said file area (21) and a control unit (3) man- 
aging data files (22) in said file area (21) in 
said storage unit (2), comprising: 

a data file creation instructing means (41) 
setting a control information unit (231) for a 
data file (22) including a PIN of the data file 
(22) in said directory area (23) in said storage 
unit (2), generating a data file creating com- 
mand including the PIN of the data file (22), 
and transferring it to said card type storage 
medium (10) in order to create the data file 

(22) in said file area (21) in said storage unit 
(2); 

a data file access instructing means (42) 
generating a data file accessing command in- 
cluding a PIN of a data file (22) to be acces- 
sed, and transferring it to said card type stor- 
age medium (10) in order to gain an access to 
the data file (22) created in the file area (21) in 
said storage unit (2); 

a dedicated file creation instructing means 

(43) setting a control information unit (232) for 
a dedicated file (24) including a master PIN of 
the dedicated file (24) in said directory area 

(23) in said storage unit (2), generating a dedi- 
cated file creating command including the 
master PIN, and transferring it to said card 
type storage medium (10) in order to create 
the dedicated file (24) in said file area (21) in 
said storage unit (2); 

a dedicated file access instructing means 

(44) generating a dedicated file accessing 
command including the master PIN of the 
dedicated file (24), and transferring it to said 
card type storage medium (10) in order to gain 
an access to the dedicated file (24) created in 
said file area (21) in said storage unit (2); 

upon issuing said card type storage me- 
dium (10), after said dedicated file creation 
instructing means (43) transferred a dedicated 
file creating command to said card type stor- 
age medium (10), said dedicated file access 
instructing means (44) generating a dedicated 
file accessing command including data of PINs 
and file names of the data files (22), and 
transfers it to said card type storage medium 
(10), in order to write the PINs and file names 
of the data files (22) held in said respective 
control information units (231) in said directory 
area (23) in said storage unit (2) such that the 
PIN and file name of each data file (22) cor- 
respond to each other. 
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6. A card type storage medium issuing apparatus 
according to claim 5, wherein when a PIN of 
said card type storage medium (10) is verified, 
said dedicated file access instructing means 

(44) generates a dedicated file access com- 5 
mand including the master PIN, and transfers it 
to said card type storage medium (10) in order 
to read out data held in said dedicated file 
(24) in said file area (22) in said storage unit 
(2) of said card type storage medium (10) io 
whose PIN is to be verified. 

7. A card type storage medium issuing apparatus 
according to claim 6, wherein when data in- 
cluding a PIN and file name of a data file (22) 15 
held in said card type storage medium (10) is 
read out from said dedicated file (24) of said 
card type storage medium (10) in response to 

a dedicated file accessing command send out 
from said dedicated file access instructing 20 
means (44), said data file access instructing 
means (44) generates a data file accessing 
command including the PIN read out, and 
transfers it to said card type storage medium 
(10) so as to give an instruction to said card 25 
type storage medium (10) to verify correctness 
of the data file (22) corresponding to said PIN 
read out. 

8. A card type storage medium issuing apparatus 30 
according to any one of claims 5 through 7, 
wherein said card type storage medium is- 
suing apparatus further comprises an encipher- 
ing means enciphering the PINs of the data 

files (22) to be written in said dedicated file 35 
(24) in said card type storage medium (10) by 
said dedicated file access instructing means 
(44), and a deciphering means deciphering an 
enciphered PIN of a data file (22) read out 
from said dedicated file (24) in said card type 40 
storage medium (10) by said dedicated file 
access instructing means (44). 

9. A card type storage medium comprising a 
storage unit (2) having a file area (21) holding 45 
data in each file as a unit and a directory area 

(23) holding therein control information about 
each data file (22) in said file area (21) and a 
control unit (5) managing data in said file area 
(21) in said storage unit (2) on the basis of said 50 
control information held in said directory area 
(23) in said storage unit (2) , said control unit 
(5) executing updating on a data file (22) in 
response to an instruction supplied from out- 
side, the storage medium comprising: 55 

a recovery information unit (25) provided in 
a data file (22) in said file area (21) in said 
storage unit (2), into which recovery informa- 



tion obtained every time said control unit (5) 
updates the data file (22) is written; 

a start serial number obtained when the 
data file (22) is opened and an end serial 
number obtained when the data file is closed 
are written as recovery information into said 
recovery information unit (25). 

10. A card type storage medium according to 
claim 9, wherein restoration data including a 
record number to be updated and unupdated 
data at said record number obtained when the 
data file (22) is updated are written as recovery 
information into said recovery information unit 
(25). 

11. A card type storage medium according to 
claim 10, wherein check serial numbers are 
attached before and after the start serial num- 
ber, the restoration data and the end serial 
number, respectively, as recovery information 
in said recovery information unit (25). 

12. A card type storage medium according to any 
one of clams 9 through 1 1 , wherein when 
updating is executed plural times on the same 
record number in the course from an open to 
close of a data file (22), restoration data is not 
written into said recovery information unit (25) 
on and after the second updating. 

13. A card type storage medium according to any 
one of claims 9 through 11, wherein informa- 
tion about the presence of a recovery- informa- 
tion unit (25) in a data file (22) and information 
about a relative position of said recovery in- 
formation unit (25) in the data file (22) if said 
recovery information unit (25) exists in the data 
file (22) are set in said control information of 
the data file (22) in said directory area (23) in 
said storage unit (2). 

14. A card type storage medium comprising a 
storage unit (2) having a file area (21) holding 
data in each file as a unit and a directory area 
(23) holding control information about each 
data file (22) in said file area (21) and a control 
unit (5) managing data in said file area (21) in 
said storage unit (2) on the basis of the control 
information in said directory area (23) in said 
storage unit (2) , said control unit (5) compris- 
ing a data file opening means (51) opening a 
data file (22) in said file area (23) in said 
storage unit (2) according to an opening in- 
struction supplied from outside on the basis of 
the control information in said directory area 
(23) in said storage unit (2) in response to the 
opening instruction, a data file updating means 
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data that has been written in said recovery 
information unit (25) in the last process, before 
new restoration data obtained by said restora- 
tion data obtaining means (55) is written into 
said recovery information unit (25). 

18. A card type storage medium according to any 
one of claims 14 through 17, wherein if said 
data file updating means (52) executes updat- 
ing plural times on the same record number in 
the course from an open to close of a data file 
(22), said restoration data obtaining means (55) 
avoids writing restoration data into said recov- 
ery information unit (25) on and after the sec- 
ond updating. 



(52) updating data held in a data file (22) 
having been opened by said data file opening 
means (51) in response to an updating instruc- 
tion supplied form the outside after the data 
file (22) has been opened, and a data file 5 
closing means (53) closing the data file (22) 
having been opened by said data file opening 
means (51) in response to a closing instruction 
supplied from the outside after the data file 
(22) has been opened, the storage medium w 
comprising: 

a recovery information unit (25) provided in 
a data file (22) in said file area (21) in said 
storage unit (2), said recovery information unit 
(25) holding therein recovery information ob- 75 
tained every time said control unit (5) updates 
the data file (22); 

said control unit (5) further comprising; 

a start serial number obtaining means (54) 
obtaining a start serial number when said data 20 
file opening means (51) opens a data file (22) 
to write the start serial number as recovery 
information into said recovery information unit 
(25); and 

an end serial number obtaining means (56) 25 
obtaining an end serial number when said data 
file closing means (53) closes the data file (22) 
to write the end serial number as recovery 
information into said recovery information unit 
(25). 30 

15. A card type storage medium according to 
claim 14, wherein said control unit (5) further 
comprises a restoration data obtaining means 
(55) obtaining restoration data including a 35 
record number to be updated and unupdated 
data at said record number when said data file 
updating means (52) updates said data file (22) 
to write it as recovery information into said 
recovery information unit (25). 40 

16. A card type storage medium according to 
claim 15, wherein when said start serial num- 
ber obtaining means (54), said restoration data 
obtaining means (55) and said end serial num- 45 
ber obtaining means (56) obtain a start serial 
number, restoration data and an end serial 
number, respectively, check serial numbers 
are attached as recovery information before 
and after said start serial number, restoration 50 
data and end serial number, respectively, and 
are written into said recovery information unit 
(25). 



17. A card type storage medium according to any 
one of clams 14 through 16, wherein said 
control unit (5) further comprises a restoration 
data initializing means initializing restoration 



19. A card type storage medium according to any 
one of claims 14 through 18, wherein informa- 
tion about the presence of a recovery informa- 
tion unit (25) in a data file (22) and information 
about a relative position of said recovery in- 
formation unit (25) in the data file (22) if said 
recovery information unit (25) exists in the data 
file (22) are set in the control information of 
each data file (22) in said directory area (23) in 
said storage unit (2). 

20. A card type storage medium according to 
claim 14, wherein said control unit (5) further 
comprises a failure detecting means, in re- 
sponse to an open instruction to open a data 
file (22) supplied from outside, referring to 
control information about said data file (22) 
held in said directory area (23) in said storage 
unit (2), if said data file (22) has a recovery 
information unit (25), said failure detecting 
means detecting a failure that has occurred in 
the last process on the basis of a start serial 
number, an end serial number and check serial 
numbers attached before and after the start 
serial number and end serial number, respec- 
tively, written in said recovery information unit 
(25) as recovery information. 

21. A card type storage medium according to 
claim 20, wherein said failure detecting means 
makes a judgement that a failure occurred 
when said data file opening means (51) 
opened a data file (22) in the last process if 
check serial numbers attached before and after 
a start serial number of said data file (22) are 
in disagreement. 

22. A card type storage medium according to 
55 claim 21, wherein said failure detecting means 

outputs a demand to reprocess the last pro- 
cess and a demand to restore the start serial 
number if said failure detecting means detects 
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the a failure occurred when the data file (22) 
was closed in the last process. 

23. A card type storage medium according to 
claim 22, wherein said control unit (5) further 5 
comprises a start serial number restoring 
means restores, in response to a restoring 
demand to restore a start serial number sup- 
plied form said failure detecting means, said 

start serial number written in said recovery w 
information unit (25) into a start serial number 
at the time of two processes earlier. 

24. A card type storage medium according to 
claim 20, wherein said failure detecting means 15 
makes a judgement that a failure occurred 
when said data file closing means (53) closed 

a data file (22) if check serial numbers at- 
tached before and after a start serial number of 
said data file (22) are in agreement but check 20 
serial numbers attached before and after an 
end serial number of said data file (22) are in 
disagreement. 

25. A card type storage medium according to 25 
claim 24, wherein said failure detecting means 
outputs a demand to restore the end serial 
number of the data file (22) if said failure 
detecting means detects that a failure occurred 
when said data file (22) was closed in the last 30 
process. 

26. A card type storage medium according to 
claim 25, wherein said control unit (5) further 
comprises an end serial number restoring 35 
means restores, in response to a demand to 
restore an end serial number of a data file (22) 
supplied from said failure detecting means, the 

end serial number written in said recovery in- 
formation unit (25) to an end serial number at 40 
the time of the last process. 

27. A card type storage medium according to 
claim 20, wherein said failure detecting means 
makes a judgement that a failure occurred 45 
when said data file updating means (52) up- 
dated a data file (22) if check serial numbers 
attached before and after a start serial number 

of the data file and check serial numbers at- 
tached before and after an end serial number 50 
of the same are individually in agreement but 
the start serial number and the end serial num- 
ber are in disagreement. 

28. A card type storage medium according to 55 
claim 22, wherein when said failure detecting 
means detects a failure that has occurred dur- 
ing the last updating process of a data file 



(22), said failure detecting means outputs a 
demand to reprocess the last process and a 
demand to restore data in said data file (22). 

29. A card type storage medium according to 
claim 28, wherein said control unit (5) further 
comprises a data restoring means restores, in 
response to a demand to restore data in a data 
file (22) supplied from said failure detecting 
means, said data in said data file (22) on the 
basis of restoration data stored in said recov- 
ery information unit (25). 

30. A card type storage medium according to 
claim 29, wherein said data restoring means 
comprises: 

a restoration data effectiveness detecting 
means making a judgement that restoration 
data is effective if check serial numbers at- 
tached before and after said restoration data 
are in agreement; and 

a restoration data writing means writing 
unupdated data of restoration data that has 
been judged to be effective by said restoration 
data effectiveness detecting means as data at 
a record number of said restoration data into a 
data file (22). 
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